Firewall Wizards mailing list archives
RE: firewall-wizards digest, Vol 1 #1725 - 9 msgs
From: "Matthew.Harvey () usdoj gov" <Matthew.Harvey () usdoj gov>
Date: Wed, 25 Jan 2006 14:32:24 -0500 (EST)
I'm with Don. I learned my security management in the military, with a focus on physical security. If I ever told someone that we "didn't need" motion detectors or roving guard checks because our access control was THAT good, I don't think I would have lasted too long. Yes, in an ideal world no "bad" traffic can get through a properly configured proxy firewall, BUT the bad guys have imaginations, too! Often better and more evil imaginations that the guys who wrote the protocols and maybe even better than the guy who wrote the proxy (sorry, MJR, but it is possible). It seems to me like the IDS model (I do NOT accept the term "IPS" -- it's a little too confident to me!) that is really being criticized is the model where you have a NIDS sensor outside the firewall, and maybe another on your DMZ backbone and one on your main inside interface to the firewall; this is a common scenario recommended by many vendors. I agree this is pretty silly and (relatively) useless, as it's essentially just backstopping (and front-stopping) the firewall. It's sort of a second firewall or a different logging/analysis device for the traffic traversing the firewall. BUT deploying a NIDS so that it listens in on all internal (and) boundary traffic is useful; it's analagous to the motion detector or roving sentry. Better yet is a HIDS, which is essentially just a real-time log aggregator and analyzer, along with a policy/signature engine for alerting or taking action. I agree, though, that signatures alone (enumerating badness) as a methodology for deciding what is bad traffic are poor. This method must be augmented/replaced with a policy-based analysis that says "alert me about anything that doesn't look like 'X.'" By analogy again, roving guards don't just look for specific bad guys (although if you're smart they are probably briefed on what specific bad guys look like), they are mostly looking for anything that is out of the ordinary. And again, I think saying, "We don't allow that sort of thing, and therefore I don't need to check whether it's actually HAPPENING or not" is rather willfullly blind. Don wrote:
Are we forgetting one of the main reasons I believe IDS are valuable
(or
was this point made earlier in the thread I and didn't catch it)? Being an old timer, "Defense in Depth" easily comes to mind. Your firewall is a device on the network right? As such, heaven forbid, it might get hacked. What will give you a clue if it does? =20 Maybe an IDS that is specifically tuned to alert on traffic that should never happen? Borrowing from another current thread, let's say
hopefully
that you do not allow X-windows traffic in from the outside. Of course your firewall would block it and log it, but wouldn't it be nice to
know
if the firewall ever responded to a SYN with and SYN-ACK? I agree we don't need the IDS to tell us what we should already know from the firewall. And we might not need to know about the newest worm signature from an IDS. But I would sure be interested if I saw
responses
to any of these "bad" things or these "bad" things outbound. Goes back to "know your traffic." It's tough but it's the only way. Someone a long time ago said think of a firewall as the perimeter alarm and locks, think of IDS as motion detector. I think that is still
valid.
Don=20 "Keep your arms and hands inside the car and enjoy your ride..."=20 "Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench." - Gene Spafford
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: firewall-wizards digest, Vol 1 #1725 - 9 msgs Matthew.Harvey () usdoj gov (Jan 25)
- Re: RE: firewall-wizards digest, Vol 1 #1725 - 9 msgs Paul D. Robertson (Jan 25)