Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Intrusion Prevention Firewall

From: Crispin Cowan <crispin () wirex com>
Date: Thu, 04 Apr 2002 13:30:57 -0800
Vern Paxson wrote:
But beware: as soon as you hook your IDS to an access control mechanism, so that when the IDS detects something it closes off access, what you have just done is build a flakey access control policy. If you thought the costs of managing IDSs was high, wait until you try this :) 


The counterpoint: this can be very powerful, depending on your IDS.  At LBL,
Bro drops various forms of hostile activity automatically, and we find that
it makes a *big* difference in lowering the break-in rate (which we know
because we see how the rate goes up when the reactive system is turned off).
Interesting! I certainly believe that it would lower the attack rate; but so would unplugging the network cable :) The key question is the false positive rate. Is it the case that your Bro IDS scripts are not generating false positives? Or that your users don't mind so much if a legitimate session gets killed? Or a compromise, where the proactive session-killing is only connected to IDS scripts that have particularly low false positives? 

Thanks,
   Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: