Re: IDS data collection _outside_ of a firewall

[Dominique Brezinski <dom_brezinski () securecomputing com>]

At 10:33 PM 1/19/99 -0800, John Kozubik wrote:
> > Also, the comment on having ID sensors outside the firewall is also 
> > equally flawed.  
>
> I must respectfully disagree.
>
> Please refer to:
>
> http://www.nswc.navy.mil/ISSEC/CID/

Notice the source of this information - DoD.  As I mentioned in my post,
the only organizations that have the resources necessary to implement a
cyber threat detection (notice I did not use the term "intrusion
detection," because ID outside the firewall will alert you of threats you
may already be stopping at the firewall, where as ID inside the firewall
will alert you of actual intrusions) are DoD.  Very few commercial
companies (I have heard that a few very large and profitable technology
companies do have counter-intel groups, but so far no references are
verifiable) have the resources or expertise to respond to threats that
don't lead to actual intrusions.  The sentence following the quoted
sentence stated this.

> for a detailed explanation on two tried and true methods of IDS - 
> Network Flight Recorder, and the STEP system.  Both methods call for the 
> data collection portion of the IDS to sit outside of the firewall, in 
> the DMZ.  

Because that customer is military (reason stated later).

> It should be quite clear to anyone familiar with the subject of IDS that 
> the collection station is _necessarily_ outside of the firewall. 

If, and only if, the organization has the resources to analyze the detected
threats (not intrusions) and use the information appropriately.  An
overwhelming number of commercial companies do not.  For instance,
analyzing the data to determine if competitors are actively attempting to
gather information from your computer systems and making that analysis
available to senior management (competitive intelligence and
counter-intelligence operations) would be an appropriate use of external ID
sensors.  Network ID does not actually inform one of intrusions, rather
just the potential of intrusion, so it is best for this kind of data
gathering. Very few US companies have competitive intelligence groups, and
even less have counter-intelligence groups.  Now, I could be wrong in my
estimations of how many companies have these capabilities, but my
experiences do not lead to believe that is the case.  However, I am looking
for verifiable data to the contrary.

> For instance, it would be somewhat difficult to detect netbios scans if 
> you are watching with a machine that is inside a firewall that is 
> blocking 135, 137, etc. (you are blocking those, aren't you? :)

So, who cares if NetBIOS scans are occurring if the firewall of perimeter
router is blocking them?  Is your organization really going to dedicate the
resources to responding to a neutralized threat?  What are the benefits to
responding?  With a well developed intelligence capability such information
could be useful, but such capabilities are very rare outside of the DoD or
equivalents.


Dominique Brezinski CISSP                   (206) 898-8254
Secure Computing        http://www.securecomputing.com