RE: Need help to choose a security policy

["CEDRIC CASSIN " <anginapectoris () caramail com>]

Thank you for your quick reponse.

Here is a quick summary of the device my company uses. 
IDS : ISS realsecure  (HIDS and NIDS) and CISCO 4235  (NIDS)
Firewall : Cisco Pix 525 or checkPoint
They are normally some robust devices.
 
< I don't think that trying to match your firewall accept rules is
< precisely the best move. Better configure only rules relevant to you
< architecture (for example, you might have only one type of web server,
< so disable all rules that deal with attacks to other types of web
< servers you don't have).

It seems to correspond with my point of view. For example, I see that SMTP traffic is allowed, I look for all the 
signatures that check attack through this service and then make my choice among these signatures depending 
on my network architecture ( OS, Software etc) . This will fit my needs and decrease logs. Am I Right?

BUT...for example, I have a lots of alerts of SQL slammer Worms but there is no accept rule on the firewall. So I 
know that the firewall will block them. It's a evidence for me that I shouldn't pay attention to this attack. This  
attack will not go in the internal network, but is it interesting to keep track of this as an information about 
possible intruders?
Should it be considered as noise like scan and so on ? ( too much data to be manageable) Is it simply a scan 
attack so not necessarily against us and not really relevant ?


< Last but no least, if your IDS allows you to create custom rules, 

I guess it's possible..

< then
< you should consider creating some that verify policy compliance. Should
 < your corporate web server start ftp connections to workstations in your
< internal network? If not then you might as well forbid all these
< "suspicious" activities. Much better if you can apply positive logic in
 <these rules (like in firewalls), for example, in snort you could create
< 'pass' rules for that which is allowed and then create some general
< 'alert' rules that will trigger when activity other than that permitted
< is detected. This will take you time and increase your rule database,
< but these are the kind of rules that when you see them on your report
< you know that there is something very bad going, they don't get obsolete
< so fast and the help catching unknown/new attacks/, viruses/worms and
< the like (so they are worth implementing for critical servers).

It is a different way of tuning IDS , not only matching signatures with attack but also anaIyse normal and 
anormal behaviour on the traffic.  Am I right ? I read some stuffs about that. It seems to be quite hard.I don’t 
know if our IDS  handle this but I know that I can tune them with some Snort like rules.


< hope this helps.
Thank you very much

Regards,

Cedric Cassin

C est le moment de dynamiser votre boîte mail en découvrant les offres CaraMail Premium - http://www.caramailmax.com


---------------------------------------------------------------------------

---------------------------------------------------------------------------