IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewalls (was Re: IDS evaluations procedures)

From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Tue, 26 Jul 2005 01:01:22 +0530
On 22/07/05 14:32 -0700, Swift, David wrote:

Right up front, I'll admit I work for a vendor, but...

1. There are a growing number Intrusion Detection/Intrusion Prevention
Systems that have integrated firewall.
2. IPS is a significant step in the right direction, and does things a
firewall can't. If you have doubts, try using Firewalker to pinpoint


Only if your "firewall" is a pure packet filter. Why not improve the IPS
to disallow all traffic except that which is found to be legitimate. The
subset of all traffic which is legitimate is far smaller and
deterministic. And then you might as well terminate the connection right
there and build a wholly new one which is known to be good. And then
market it as a proxy?

<snip>

Oh, and by the way while you have the data payload open for inspection,
why not apply intelligent rules to look for MalWare in the payload? Then
toss the bad payload packets away with everything else you've already
filtered with the firewall rules.


I repeat: everything which is not known good is bad. Any security policy
which attempts to enforce otherwise is broken.

Oh well, history repeats itself.

Devdas Bhagat

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: