Re: Firewalls (was Re: IDS evaluations procedures) - AI

[Richard Bejtlich <taosecurity () gmail com>]

On 7/26/05, Swift, David <dswift () ipolicynetworks com> wrote:
> Any single packet or detected IDS event means little by itself, but the
> combination and sequence of events from the same source should allow me
> to increase the threat level of a given source, and correspondingly
> adjust my responses up to the point where I dynamically harden my
> firewall from his source address regardless of what data he's
> transmitting, AND hopefully beginning the automation of forensic
> analysis...

Hello,

A source-centric security posture is only effective against
unsophisticated attackers.  I see only the most immature of intruders
conducting their reconnaissance, exploitation, and so on from the same
source IP or even the same net block.

The only constant in any intrusion is the victim.  Target-centric
security is the only way to have a chance against mildly sophisticated
attackers and beyond.

Sincerely,

Richard
http://www.taosecurity.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------