Re: DMZ best practices

[Dominique Brezinski <dom_brezinski () securecomputing com>]

Ah, the reactive firewall model (point 2) - yes, an ID sensor outside the
firewall is necessary for such a configuration, but the usefulness of such
a configuration (as currently shipped by various vendors) is debatable.
Current solutions are highly vulnerable to abuse by a knowledgeable
attacker, but this is not to say that such technology could not be useful. 

Refer to my other post for my thoughts on the point 1.  Point 3 should be
addressed by having the ID sensor on the same network as the protected
public servers, not outside the firewall (the data acquisition will be more
reliable) and the communication channel between the IDS and the firewall
will be better protected.

Dom

At 09:40 AM 1/20/99 +0100, Security wrote:
> My comments on Dominique Brezinski about Having ID sensors outside the
> firewall...
>
> There are three reasons why having ID sensors outside the firewall is
> important:
>
> 1.     Many people want to know what is happening there. Is the firewall
> well configured? Is it very often under attack?
> 2.     I think the most valuable feature of a well-configured ID system is
> the ability to react on an attack or misuse.  For instance, when a portscan
> on the firewall is detected, the firewall can block the IP address of the
> intruder for a while. 
> 3.     In case of a DMZ protected by the firewall (3rd NIC), the firewall
> will not protect the servers in the DMZ against attacks as vulnerable CGI
> scripts E-mail-WIZ, etc. An ID system outside the firewall can reconfigure
> the firewall or kill the TCP-connection to prevent this.
>
>
> Arjen Rijpma
> PointNet Security Systems.


Dominique Brezinski CISSP                   (206) 898-8254
Secure Computing        http://www.securecomputing.com