Re: Intrusion Detection

["Marcus J. Ranum" <mjr () nfr net>]

Mark Horn [ Net Ops ] wrote:
> Can't this be done with two firewalls in series?  Both firewalls would
> have the same rule set, with one exception.  The outer firewall has a
> default deny rule that simply drops stuff.  The inner firewall, has a
> default deny rule that drops stuff, and sets off an alarm to the
> administrators.  If the administrators ever get an alarm from the inner
> firewall, they know that the outer firewall is permitting things it
> shouldn't, or that the rulesets are out of sync.  This could even be done,
> crudely, with a router as the outer firewall.

That sounds like it'd work great. Several times I've suggested
that folks do exactly that kind of thing, usually relying on
screening/logging on routers behind the firewall, to detect apparent
policy mismatches between what the firewall should be allowing and
what it is allowing.

> This is not, by any means, perfect.  But isn't this a rudimentary policy
> based IDS?

Sure is!!!

Based on some discussions I've had offline I'm going to stop using
the "policy" word around IDS' and call them "burglar alarms" instead.
It really *IS* a burglar alarm model: you know what shouldn't happen
and you look for and alarm for it. That's much more of a true "intrusion
detection" than an "attack detection" because the burglar alarm will
not fire unless there's a clear violation of what you expect to be
seeing.

The effectiveness of burglar alarms will be bounded at the top end
by the user's ability to clearly state what should and should not
be going on within their network.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr