RE: Hub vs. Tap vs. SpanPort

[simon.thornton () swift com]

Hi Petr,

ST> IDS is connected to the internet side of the firewall.
ST> Hacker uses an exploit (which one is irrelavent) with
ST> the SRC IP address being that of root DNS servers.
.
PR> I always thought that using statefull firewall gives
PR> an ability to check state table for entries before
PR> access list. So queries from internal DNS, beeing allowed 

You are correct, the catch in this case was that the IDS was connected
BEFORE the firewall, no filtering took place on the traffic before the
IDS caught it. As the IDS intructed the firewall to block access to
these root nameservers using rules inserted at the beginning of the
rulebase it effectively overrode any previously implemented rules.

The cases I mentioned were simplified and sanitised to illustrate the
risk of out-of-the-box responses to detected anomalies. If the IDS
solution had been designed properly and care taken to white-list
critical systems then this sort of problem could have been avoided. 

Rgds, 
  

Simon

Attachment: smime.p7s
Description: