Firewall Wizards mailing list archives
The value of detecting neutralized threats. (was RE: IDS blah blah)
From: "John Kozubik" <john_kozubik_dc () hotmail com>
Date: Thu, 21 Jan 1999 22:40:52 PST
There are two reasons for trying to detect traffic and breaches with IDS that you have previously taken steps to prevent. (in answer to he question "why should we watch for netbios traffic if we have already firewalled those ports?") 1. The existence of network scans, petty DoS attempts, and lame netbios attacks can be one of two things - some teenager getting their kicks, or, a sophisticated attacker using these probes as a precursor to a more sophisticated (and successful, perhaps) attack. Do not kid yourselves and think that well funded attackers do not at least try the front door once or twice before bringing out the big guns. If you have sensitive and valuable data to protect, you are doing yourself a disservice by not making an effort to look for traffic that should theoretically not exist on the network. By discovering these precursors to what might be a more sophisticated attack, action can be taken to prevent its escalation. 2. Let's say you do block all traffic to and from a service. At this point, some members of the list seem to be content with sitting back and basking in the knowledge that "it can't be in our network, by god we firewalled it". Don't you think the most important time to know if there are strange packets floating around is _after_ you made an attempt to prevent their existence??? I mean, before you firewall, there is an excuse for weird packets and requests to be bouncing around - it seems to me that that would be the time to not be concerned. The time to be concerned about, for instance, netbios traffic, would be after you had taken steps to prevent netbios traffic on the network. Wouldn't you be a bit concerned that this traffic exists, even though you supposedly blocked it? Wouldn't you like to know right away if these packets and requests suddenly existed on your network? Or are you so confident in your ability to work firewalls that you cannot conceive of an instance in which traffic and requests that you attempted to block might end up on the network at a later date? THESE are the reasons you add an Intrusion Detection System that not only looks for threats that cannot be effectively neutralized, but also looks for threats that have already been neutralized. I should point out, in response to certain critics, that you probably do not need to employ mechanisms such as this if you do not have information and services to protect that outweight the costs of implementing and supporting these systems. I, for instance, do, and I will note that I am not part of the military-industrial-government complex. I imagine there are many others on the list that may not be in the military or part of the government, but have services and information of such value that these measures would be cost-effective. You will note that a system that can do what is described above can be built for less than $10,000. If you do not have the necessity or the means to implement these procedures, and do not find them relevant for the small networks you run, well, at least you are gaining experience and knowledge for a future date when you do. That is, after all, why we participate on lists such as this. kozubik - John Kozubik - john_kozubik () hotmail com PGP DSS: 0EB8 4D07 D4D5 0C28 63FE AD87 520F 57BE 850B E4C4 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- The value of detecting neutralized threats. (was RE: IDS blah blah) John Kozubik (Jan 26)
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) Dominique Brezinski (Jan 27)
- Re: The value of detecting neutralized threats. (was RE: IDS bla Vik Bajaj (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS bla Dominique Brezinski (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS bla Joe LoBianco (Jan 29)
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) David LeBlanc (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS bla Vik Bajaj (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) David Gillett (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) Dominique Brezinski (Jan 27)