Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

to IDS or not to IDS? [Re: FW appliance comparison - Seeking input for the forum]

From: "Matthew.Harvey () usdoj gov" <Matthew.Harvey () usdoj gov>
Date: Wed, 25 Jan 2006 17:21:27 -0500 (EST)
You're making a "straw man" argument -- I haven't heard anyone advocate
using IDS as a first OR only line of defense, nor has anyone on this
list advocated neglecting a good firewall with a good ruleset and
instead spending all one's time on IDS deployment instead (we are
"firewall wizards" after all, right?)

However, I WOULD argue that NO technology is a very good "first and
only" line of defense. The original post that started this discussion
asked "Why would you want an IDS?" You seemed to be arguing that IDS is
useless/unnecessary, and I am arguing that it a useful and sometimes
necessary adjunct to a good firewall:
1) IDS provides better visibility on traffic internally and at the
network boundaries. I want to monitor what is happening to assure myself
and my bosses/auditors that my perimeter controls are as good as I say
they are.
2) IDS is better than most firewalls at alerting on "unsuccessful"
attacks that "bounce off" of your firewall or get through but pose no
real danger to your systems which are patched, etc. This information is
useful, because I think it is prudent to detect and track or block
persistent attackers; their first attacks may have been futile, but
maybe they'll get smarter. I wouldn't ignore incoming gunfire just
because they seem to keep missing.


On Wed, 25 Jan 2006, paul () compuwar net  wrote:


world no "bad" traffic can get through a properly configured proxy
firewall, BUT the bad guys have imaginations, too! Often better and

more

evil imaginations that the guys who wrote the protocols and maybe even

better than the guy who wrote the proxy (sorry, MJR, but it is
possible).



That doesn't change the fact that if you're not doing the basics right 
then bells and whistles don't improve your overall security posture as 
much as getting the basics right will.



Look at Avishai's study- then tell me that more IDS is the first thing

we 

need, and do it with a straight face.  Passive IR is a cool technology,



but it sure as heck shouldn't be your first or only line of defense.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: