Firewall Wizards mailing list archives
to IDS or not to IDS? [Re: FW appliance comparison - Seeking input for the forum]
From: "Matthew.Harvey () usdoj gov" <Matthew.Harvey () usdoj gov>
Date: Wed, 25 Jan 2006 17:21:27 -0500 (EST)
You're making a "straw man" argument -- I haven't heard anyone advocate using IDS as a first OR only line of defense, nor has anyone on this list advocated neglecting a good firewall with a good ruleset and instead spending all one's time on IDS deployment instead (we are "firewall wizards" after all, right?) However, I WOULD argue that NO technology is a very good "first and only" line of defense. The original post that started this discussion asked "Why would you want an IDS?" You seemed to be arguing that IDS is useless/unnecessary, and I am arguing that it a useful and sometimes necessary adjunct to a good firewall: 1) IDS provides better visibility on traffic internally and at the network boundaries. I want to monitor what is happening to assure myself and my bosses/auditors that my perimeter controls are as good as I say they are. 2) IDS is better than most firewalls at alerting on "unsuccessful" attacks that "bounce off" of your firewall or get through but pose no real danger to your systems which are patched, etc. This information is useful, because I think it is prudent to detect and track or block persistent attackers; their first attacks may have been futile, but maybe they'll get smarter. I wouldn't ignore incoming gunfire just because they seem to keep missing. On Wed, 25 Jan 2006, paul () compuwar net wrote:
world no "bad" traffic can get through a properly configured proxy firewall, BUT the bad guys have imaginations, too! Often better and
more
evil imaginations that the guys who wrote the protocols and maybe evenbetter than the guy who wrote the proxy (sorry, MJR, but it is possible).
That doesn't change the fact that if you're not doing the basics right then bells and whistles don't improve your overall security posture as much as getting the basics right will.
Look at Avishai's study- then tell me that more IDS is the first thing
we
need, and do it with a straight face. Passive IR is a cool technology,
but it sure as heck shouldn't be your first or only line of defense.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- to IDS or not to IDS? [Re: FW appliance comparison - Seeking input for the forum] Matthew.Harvey () usdoj gov (Jan 27)