Firewall Wizards mailing list archives

RE: In defense of non standard ports

From: Brian Loe <knobdy () gmail com>
Date: Tue, 24 Jan 2006 21:08:09 -0600

On 1/24/06, Tim Shea <tim () tshea net> wrote:

I've been monitoring this discussion and I have issues with two
assumptions being made.  The first is that all organizations have security
professionals with some pull with management.  Politics plays a big part
and unless you can sell a solution or are hacked sideways nothing will be
done.  This is the frustration of many technical security professionals.

Lets take the above issue  - all tcp ports outbound are open.  Throwing in
an IDS is an quick way to gather appropriate information to help sell to
management that they have a real problem.  Just telling them "all ports
outbound bad" does not work.  In addition - the log output from [insert
whatever firewall here] is either not detailed enough or the volume is so
high that it is not always practical to run analyze on the output.

Second issue I have is that running IDS's takes a lot of time.  That is
bull.  I had a vendor in today that was going off about such nonsense. It
is just like any other service.  You plan, implement, and manage that
service appropriately.  If you are spending all your time updating rules
and keeping things in sync - your problem is not the ids but your
operational processes.

IDS have their place as any other service but saying they are useless or
offering a negative opinion on an organizations internal controls (or lack
of them) does not help that individual solve a problem.


I personally don't see much need for an IDS. Where I am currently
working I have no control of what we use, really, yet anyway, but the
IDS systems have so many never blocks on them, who cares?!

Granted, they're all supposed to be customer IPs., and old IPs are
supposed to be removed, but this is reality and that ain't the way it
happens.

In short, I think IDS systems are often used as a crutch at best and
at worst as a sign that you're "protected" ("See, it saw it." - didn't
block it, naturally, but hey, they're customers!).
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: In defense of non standard ports Behm, Jeffrey L. (Jan 23)
- RE: RE: In defense of non standard ports Bill Royds (Jan 23)
  - Re: RE: In defense of non standard ports Tobias Reckhard (Jan 24)
  - Re: RE: In defense of non standard ports James (Jan 24)
    - Re: RE: In defense of non standard ports ArkanoiD (Jan 24)
    - Re: RE: In defense of non standard ports Chuck Swiger (Jan 24)
    - Re: RE: In defense of non standard ports Marcus J. Ranum (Jan 24)
    - Re: RE: In defense of non standard ports Paul D. Robertson (Jan 24)
    - Re: RE: In defense of non standard ports Tim Shea (Jan 24)
    - Re: RE: In defense of non standard ports Paul D. Robertson (Jan 24)
    - Message not available
    - RE: In defense of non standard ports Brian Loe (Jan 24)
    - Message not available
    - Re: RE: In defense of non standard ports Marcus J. Ranum (Jan 24)
    - Re: RE: In defense of non standard ports ArkanoiD (Jan 25)
    - RE: RE: In defense of non standard ports Bill Royds (Jan 24)
- <Possible follow-ups>
- RE: RE: In defense of non standard ports Fetch, Brandon (Jan 23)
- RE: RE: In defense of non standard ports Behm, Jeffrey L. (Jan 24)
  - Re: RE: In defense of non standard ports Karl (Jan 24)