Firewall Wizards mailing list archives
RE: Intrusion Detection Systems, Best of breed?
From: "Ofir Arkin" <ofir () sys-security com>
Date: Tue, 25 Dec 2001 22:39:46 -0000
This might be interesting. According to several criteria we can order the firewall (or some other device) to send the traffic over to another system. I like the concept as MJR also suggested that. We can use some kind of "Dynamical NATing" to convert the original IP Destination Address with the Honeypot IP Address... Can we do this with Open Source? Another thought, you really need to make it REAL GOOD so it will not be detected easily. Hence, same Stack manipulations and other TCP/IP tricks to make it look nice... Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com] On Behalf Of Lance Spitzner Sent: ג 25 דצמבר 2001 4:06 To: Talisker Cc: R. DuFresne; Ofir Arkin; 'ROB SLAUGHTER'; firewall-wizards () nfr com Subject: Re: [fw-wiz] Intrusion Detection Systems, Best of breed? On Mon, 24 Dec 2001, Talisker wrote:
Ofir is absolutely right (as always) the IDS defence in depth approach
is
best, I steered clear of it in my original post so as not to confuse
too
much, (but NIDS is still the IDS of choice and offers more hits per
pound) heh heh, can't pass this up. Since we are talking about defence in depth, how about the use of honeypot technologies to add to detection? Honeypots have the advantage of reducing false positives while capturing false negatives. Thoughts? lance
is extremely valuable but needs more TLC than a NIDS, (hmm depending
upon
how much control you have over how the host monitored is configured)
AIDS
are also a very nice tool the main HIDS I have played with has it
built in,
with some heuristics thrown in for good measure. When looking to
deploy
HIDS and NIDS it's worth considering Hybrid IDS which combine the 2 at
host
level, though there are very few products offering this. A very
important
consideration these days is Network Node IDS which is basically a
central
reporting personal firewall. The USAF have reportedly just purchased 500,000 of them for their desktops. To reduce cost I would suggest
only
placing these on servers. Ron said, "They tend to be noisy little beasts, that send out false
alarms
and positives till your security staff goes numb" I agree but I still like
to
see a NIDS outside the firewall, not necessarily to react to, but for
stats
to spot changing trends and also for the security staff to see the
threat.
Though given an "either or" choice I'd always opt for inside the
firewall.
Marcus said about HIDS "(what happens when the underlying O/S crashes from a DOS attack?) " then you can bring in a network management tool
that
pings your critical devices periodically, once again it's just another
piece
of information in that defence in depth scenario. NOTE I'm still not advocating SNMP <v3
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Intrusion Detection Systems, Best of breed? ROB SLAUGHTER (Dec 14)
- Re: Intrusion Detection Systems, Best of breed? Talisker (Dec 22)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 23)
- RE: Intrusion Detection Systems, Best of breed? Predrag Zivic (Dec 23)
- Re: Intrusion Detection Systems, Best of breed? Stephen P. Berry (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? Predrag Zivic (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Predrag Zivic (Dec 23)
- RE: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 23)
- Re: Intrusion Detection Systems, Best of breed? Talisker (Dec 24)
- Re: Intrusion Detection Systems, Best of breed? Lance Spitzner (Dec 25)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Lance Spitzner (Dec 27)
- RE: Intrusion Detection Systems, Best of breed? franks (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? Robin S. Socha (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 26)
- Re: Intrusion Detection Systems, - Honeypots? Lance Spitzner (Dec 27)
- Re: Intrusion Detection Systems, - Honeypots? R. DuFresne (Dec 28)