Firewall Wizards mailing list archives

Re: FW: Intrusion Prevention Firewall

From: Gary Flynn <flynngn () jmu edu>
Date: Tue, 26 Mar 2002 15:05:07 -0500

franks wrote:


Gary, don't get your hopes up with any product on the market right now.
Unfortunately many vendors may make claims about NIDS/Prevention devices
but the question arises.
How does it make it's decision about what GOOD and BAD traffic is?. For
instance onesecure has this great FLASHY product that neglects to inform
it's user that Anomaly detection is VERY fuzzy, and normal traffic is
never NORMAL!. This leads to IDS's acting like firewalls that can run
rampant on your network acting like a firewall!.

IMHO IDS is young, and not capable to do smart responsive behavior.
Odd's are that if you implement any solution to REACT it will react in
ways you never imagine. This is a sure fire ways to get Management
attentions.

For now security professionals have to accept the thought that Firewalls
are boarder protection devices (kind of), and IDS is the ugly step child
that no one ever pay attention to until something happens.


I understand that. I wouldn't turn it loose to make its own decisions. 
I'll make the decisions on what rules/signatures to turn on based on 
testing and current threats. There is no reason for me to let unicode 
web requests for cmd.exe, wu-ftp buffer overflow exploits, and the 
like into my network. I don't just want to be told about them...I want 
them dropped in the bit bucket before they can do any harm.

In a university environment, locking communications down tightly with 
a firewall is not an option. And we'll no doubt have some vulnerable
computers on the network. I don't want a device that will guarantee
me perfection or security. I just want something that will get rid
of the SANS top ten (well, maybe a little more :) before it crosses
my border. Depending on the attack signature, I don't think that is
unrealistic.

P.S. I appreciate all the good leads I got from everyone. I just
started following up.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Intrusion Prevention Firewall Gary Flynn (Mar 16)
- Re: Intrusion Prevention Firewall Mark Renouf (Mar 17)
- Re: Intrusion Prevention Firewall Inno Eroraha (Mar 29)
- <Possible follow-ups>
- RE: Intrusion Prevention Firewall Stiennon,Richard (Mar 17)
- FW: Intrusion Prevention Firewall franks (Mar 17)
  - Re: FW: Intrusion Prevention Firewall Gary Flynn (Mar 29)
- RE: Intrusion Prevention Firewall Pieper, Rodney (Mar 29)
  - RE: Intrusion Prevention Firewall Marcus J. Ranum (Mar 29)
    - Re: Intrusion Prevention Firewall Gary Flynn (Mar 29)
    - Re: Intrusion Prevention Firewall Marcus J. Ranum (Mar 29)
    - RE: Intrusion Prevention Firewall Dave Piscitello (Mar 29)
    - Re: Intrusion Prevention Firewall Crispin Cowan (Mar 29)
- RE: Intrusion Prevention Firewall Stiennon,Richard (Mar 30)