Re: The devil's in the details

[David Lang <dlang () diginsite com>]

-----BEGIN PGP SIGNED MESSAGE-----


1. All traffic to the internet goes through the firewall. 

2. Most of the non-internet traffic hits one of our internal servers. 

This allows us to cover all this traffic with host based systems on the
firewalls and internal servers.

This still has a gap in coverage in that there is no way to prevent an
attack from one desktop to another (i.e. customer service attacking the
CEO's desktop)

As for the performance, etc of running a full IDS system on the firewall.

The performance issue can be delt with by buying a bigger machine for the
firewall (in our case the bandwidth isn't that high) and the security
issue is a trade-off and a judgement call as to how much you trust the IDS
system. IMHO you _really_ need to be able to trust your IDS system as much
as you do your firewalls or you are wasting your time putting it in.

David Lang

On Wed, 14 Jul 1999, Lance Spitzner wrote:

> Date: Wed, 14 Jul 1999 11:49:24 -0400 (EDT)
> From: Lance Spitzner <spitzner () dimension net>
> To: David Lang <dlang () diginsite com>
> Cc: Matt Dunn <matt () electrocentric com>, firewall-wizards () nfr net
> Subject: Re: The devil's in the details
>
> On Tue, 13 Jul 1999, David Lang wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > I am in a similar situation and decided that the only way to do IDS was to
> > bite the bullet and put host-based IDS on each of my internal servers.
> > this will not protect one desktop from being hacked by another, but will
> > protect my servers (and yes it can get VERY expensive)
>
> You can do simple IDS with your firewall.  Since all traffic goes through
> there (assumption), this is a good place to start.  You can't fire up a
> serious IDS system, such as NFR or Real Secure, because of performance
> and potential security issues (the less on the FW, the better).  However,
> you can setup basic FW rules and/or log filters that detects ports scans
> and network sweeps.  This won't catch everybody, but it is a great place
> to start.  If nothing else, show management all the scans/sweeps you
> are detecting to validate the need ($$$) for a real IDS system.
>
> I've had great success doing this with FW-1.
>
> Lance Spitzner
> http://www.enteract.com/~lspitz/papers.html
> Internetworking & Security Engineer
> Dimension Enterprises Inc

"If users are made to understand that the system administrator's job is to
make computers run, and not to make them happy, they can, in fact, be made
happy most of the time. If users are allowed to believe that the system
administrator's job is to make them happy, they can, in fact, never be made
happy." 
- -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA '97)

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBN4y2Nj7msCGEppcbAQHw8wf+O1/2MfehnxQwolVvNw3N0RhN5+vSs2Im
ZY3CiCOK2CWiWtsfRPTg0E5YudSWe6Z2z+f0dE7Ohiw9GyWsmbIdvAWu37z3LkTI
OM1u1om9SPvrO4ifz5t6ESxKJBbq9d+cpjvKtmLXKsfGAlgOp2iYSDzFEyA0W+4n
jiKcvXy8dfw8OmdC1zb7qH7BhiBVNnp8Vhu+2JAEwGDSGUDregXXDUTIXmzOXSnc
HdrKLtuTn4paeaCeeTCi8RQd8wdcR50bh59Gest4qo1cyWze+mDS8/7e9jmu+hJa
+jpIFEzyiUqt9QIjvKgORtURQd/7xgohgVc3Ydudh4ATbH+M+pLP7g==
=GKht
-----END PGP SIGNATURE-----