Re: IDS is dead, etc

["Sam f. Stover" <sstover () iwc sytexinc com>]

> A perfectly implemented firewall allows no protocols through for
> which there are vulnerable implementations inside. That means it's
> impossible to implement a perfect firewall if you're going to allow
> Windows users to have internet access. You can come moderately
> close, with a hideous amount of work, but you'll still be very
> exposed, and an IDS will be critical reinforcement of your flawed
> security.

Ok - I'll bite...  Are you talking platonic perfect or worldly perfect? 
 If you mean platonic perfect, I'll agree, but given your statement 
below, I think you mean perfect w/ regard to a properly configured 
network i.e. possible in the "real" world.

How does this address 0-day attacks on services that weren't previously 
vulnerable?  Granted a strings searching IDS might not help you there, 
but a true protocol based IDS like NFR might alert you to something 
that wasn't an issue before you implemented your "perfect" firewall.

I guess my real question is how to keep your firewall perfect?  The 
instant you drop it in place, you'll have to stay ahead of every hacker 
out there to keep it perfect...  An an IDS is a great tool to assist in 
that pursuit.  Maybe I'm picking nits, but I've always thought of an 
IDS as a great passive device that will always be there to sniff your 
traffic in for when something new pops up...

> But given suitable systems configuration, it is possbile to have a
> perfect firewall, and if you do then an IDS is just an educational
> tool, and would probably be most useful in concert with a honeypot.

Also, isn't every IDS implementation an educational tool to some degree?


SfS
____
S.f.Stover
sstover () iwc sytexinc com

Attachment: PGP.sig
Description: