Re: IDS vs Application Proxy Firewal

[Damiano Bolzoni <damiano.bolzoni () utwente nl>]

Omar Herrera wrote:

> The reason why white listing doesn't work is not because it is overly
> complex but because it requires us to do things properly starting from
> the way we do business and design our systems and applications. It does
> take time and requires that we know our assets and business functions to
> set permissions,.

IMHO here you're making a quite strong (and wrong) assumption: you
assume that software will always work as you expect it to do. Should
that be the case, you would be able to predict everything and the
whitelist approach would work.
Unfortunately, in 35 years of C programming, people haven't learnt yet
how to avoid buffer overflows (this example applies to any other
vulnerability you like).
Yes, the whole intrusion detection (and prevention in particular) game
is "just" a big attempt to "patch" bugged systems...clearly, this
patching process cannot be perfect (and never will).

Cheers

-- 
Damiano Bolzoni

damiano.bolzoni () utwente nl
Homepage http://dies.ewi.utwente.nl/~bolzonid/
PGP public key http://dies.ewi.utwente.nl/~bolzonid/public_key.asc
Skype ID: damiano.bolzoni () utwente nl

Distributed and Embedded Security Group - University of Twente
P.O. Box 217 7500AE Enschede, The Netherlands
Phone +31 53 4892477
Mobile +31 629 008724
ZILVERLING building, room 3013

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------