Re: How should an Internet connection/firewall be designed?

[Dave Piscitello <dave () corecom com>]

This would be a legitimate and perhaps interesting application of an 
external IDS, but automated correlation is still relatively unexplored 
territory. I suspect that few organizations that actually do a CBA 
conclude this is a priority allocation of time, talent and technology.

To your observation about "seeking professional help": I imagine that 
any organization that would insist on such alarms *and* insist that IT 
staff actually investigate/attend would experience sufficiently high 
staff attrition rates to cause them to reconsider.

Carson Gaspar wrote:
> Dave Piscitello wrote:
> > Kaas, David D wrote:
> > > How many companies have an IPS/deep-packet-inspection device between the
> > > firewall and the border router?
> > I honestly don't see a lot of this and unless there's a specific DOS 
> > prevention issue, I don't see a lot of point in policing traffic that I 
> > expect my firewall to block.
>
> Back when I still did security for a living, I was a supporter of having 
> an IDS device between your border router and your external firewall. 
> However it was not for the reasons most folks might think. I wanted the 
> external IDS in logging-only (no alarms) mode, purely for forensic and 
> legal purposes. When we saw something funky on our internal/DMZ nets, we 
> could look at the external logs to see if it was part of an attack pattern.
>
> Of course there is a cost/benefit analysis that has to be done to 
> determine if the data mining is worth the cost of the device.
>
> I agree that anyone who has alarms enabled from an outside-the-firewall 
> IDS probably ought to go see a professional about their paranoia issues...

Attachment: dave.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards