Firewall Wizards mailing list archives
RE: FW appliance comparison - Seeking input for the forum
From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 18 Jan 2006 15:27:20 -0500
-----Original Message----- Subject: Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
Why would you want a signature based IDS at all? They don't work. Period. Enumerating badness is a silly idea.
Sure they do. The premise may be flawed, but the technology works, even if it falls into the "better than nothing" category. They're smoke detectors for a small subset of possible fires. Using one is still better than letting the house burn to the ground each and every time there's a fire.
Develop a policy that explicitely defines every kind of network traffic
that is to be
allowed to pass your perimeter. Application X using a "propriatary
protocol"? Sorry, not
allowed.
See my previous post. Just because you enforce HTTP over TCP/80 with a proxy doesn't mean you're keeping all of the garbage out... or in. Not to mention that there are plenty of standard, known protocols out there (think SQL protocols) that lack a good proxy to manage the actual behavior of the connections that cross them.
Then use a firewall that only passes what is explicitly allowed and raises
an alarm for
everything that isn't. *Boom* as Steve Jobs would probably put it. Instant heuristic proactive
unkown and future
attack aware IDS.
And without packet payload data, those alerts border on useless. Not to mention that the real bad guys are tunneling across the allowed ports while you sleep. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: FW appliance comparison - Seeking input for the forum, (continued)
- Re: FW appliance comparison - Seeking input for the forum Avishai Wool (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Patrick M. Hausen (Jan 27)
- RE: FW appliance comparison - Seeking input for the forum lordchariot (Jan 27)
- Re: FW appliance comparison - Seeking input for the forum Anton Chuvakin (Jan 27)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum Greg Spath (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum Patrick M. Hausen (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum Marcus J. Ranum (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum Marcus J. Ranum (Jan 18)
- RE: FW appliance comparison - Seeking input for the forum Paul Melson (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum Patrick M. Hausen (Jan 18)
- RE: FW appliance comparison - Seeking input for the forum Paul Melson (Jan 19)
- RE: FW appliance comparison - Seeking input for the forum Cat Okita (Jan 19)
- Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Jan 25)