Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The devil's in the details

From: Lance Spitzner <spitzner () dimension net>
Date: Wed, 14 Jul 1999 11:49:24 -0400 (EDT)
On Tue, 13 Jul 1999, David Lang wrote:


-----BEGIN PGP SIGNED MESSAGE-----

I am in a similar situation and decided that the only way to do IDS was to
bite the bullet and put host-based IDS on each of my internal servers.
this will not protect one desktop from being hacked by another, but will
protect my servers (and yes it can get VERY expensive)


You can do simple IDS with your firewall.  Since all traffic goes through
there (assumption), this is a good place to start.  You can't fire up a
serious IDS system, such as NFR or Real Secure, because of performance
and potential security issues (the less on the FW, the better).  However,
you can setup basic FW rules and/or log filters that detects ports scans
and network sweeps.  This won't catch everybody, but it is a great place
to start.  If nothing else, show management all the scans/sweeps you
are detecting to validate the need ($$$) for a real IDS system.

I've had great success doing this with FW-1.

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer
Dimension Enterprises Inc
Previous By Date Next
Previous By Thread Next

Current thread: