Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FW appliance comparison - Seeking input for the forum

From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Sun, 22 Jan 2006 10:33:17 +0530
On 20/01/06 10:00 -0500, Paul D. Robertson wrote:

On Fri, 20 Jan 2006, sai wrote:


Ignorance is strenght? No way! IDS should help you figure out what is
happening on your network and its environs. Unfortunately keeping the


No, your *policy* should *dictate* what's happening on your network and 
its environs.  Your implementation of that policy should enforce it.

If IDS was an audit function, it'd have to be designed to audit against a 
policy, not be AV-on-the-wire.  Lots of people are using IDS as an excuse 
to not iterate or implement policy or protective controls, and that's a 
problem.


Isn't auditing against a policy exactly what an IDS is supposed to do?
It also verifies that your security policy has been implemented
correctly at the firewall(s).




IDS updated takes time and/or money , plus you have to look at (and
understand) the reports (more time and effort).
Most people are able to get on with their jobs without knowing what
has attacked them, but its certainly good to know.


Again, this assumes that your policy implementation allows attacks to 
traverse your infrastructure *or* that you're wasting the organization's 
time passing around reports about how many times NIMDA tried to attack 
your Solaris box.  


Things change. IDS help detect unexpected changes. Again, IMHO, an IDS
also has a host based component which looks at (ab)normal statistics for
host traffic. A sudden increase in traffic or decrease can be
interesting events.

For instance, seeing traffic destined to port 25 from an unexpected host
is a good event to trigger IDS events. Even when your firewall blocks
this traffic, the log analysis of firewall logs and DHCP logs should
catch potential malicious traffic and possible further investigation.

This was discussed in a thread on the loganalysis mailing list by MJR.


This is one reason why people with sub-standard security don't get fired 
when there's an event they clearly should have created "the IDS signature 
didn't detect it" is becomming a bail-out when people really aren't 
implementing good security policies.


Which is _not_ the fault of the tools. Done right, a good firewall and
IDS combination should not need to be updated very often.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: