Firewall Wizards mailing list archives
Re: IDS outside of firewall?
From: Henry Hertz Hobbit <hhhobbit () icarus weber edu>
Date: Tue, 4 Aug 1998 17:10:23 -0600 (MDT)
On Mon, 3 Aug 1998, Woody Weaver wrote:
<little snip>. I do not believe that for "most organizations" an IDS would detect lots of probes every day. In any event, it can provide an estimate of the threat level of the organization. If I put a passive IDS outside wiltelnsi.com (my return address) I would expect to see almost no probes -- the company is boring, nothing valuable to steal -- and security is designed with that threat level in mind. If I put a passive IDS outside sony.com, where I would expect to see lots of script kiddies with probes, the IDS can justify spending resources to be more careful about security.
<big snip> I worked at a major University that had almost EVERY UNIX computer on the campus broke into. What did they have? NOTHING! At least nothing that you couldn't have got via some other way. Universities by and large are DISSEMINATORS of information, not HOARDERS of it. The main machines that had payroll, student records, etc. were not even touched. They were all IBM mainframes and of course measures had been taken to secure them. What am I saying? I am saying that content at the site alone is not the only motivator for a break in. They could be doing it for one of the following reasons (there are others): 1. They are practicing on your site for bigger game. The script kiddies have to start somewhere! 2. They are using your site as a hopping point to cover their tracks. This may be harder to do now (doubt it) but it is still a motivator. 3. They are a competitor that is probing to see just what they can find out. Yes, I know, you told me that you don't have anything of interest at your site. Don't bet on it. 4. Just for the hell(o) of it! Who knows what motivates some of these people to do what they do. Look at Mitnick. Can you honestly look at him and determine what is going on in that little warped twisted mind of his? He could obviously make MUCH MORE MONEY doing something legitimately, but there he rots in prison, now hoarding cans of tuna and getting in trouble for doing that. For that matter, what about the warped and twisted mind of the judges and others that make such a big deal about some cans of tuna! Honestly...I would go and ask him what he was doing it for, tell him I didn't care and that I had to hurry on out of there to get my 9 rounds in at the golf course. Now I will grant you that an external IDS probably isn't going to provide you with much of anything for somebody in your position. But until you put it there, you have a sort of dark question mark about what is going on out there. I have a feeling that you would be surprised at the number and kinds of probes that you say aren't going on. Just one person's opinion, and maybe not worth much at that... HHH
Current thread:
- IDS outside of firewall? Rik Farrow (Aug 02)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Craig H. Rowland (Aug 03)
- Re: IDS outside of firewall? Joseph S. D. Yao (Aug 03)
- Re: IDS outside of firewall? Jeff Sedayao (Aug 05)
- Message not available
- Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Woody Weaver (Aug 03)
- Re: IDS outside of firewall? Henry Hertz Hobbit (Aug 04)
- Re: IDS outside of firewall? Woody Weaver (Aug 05)
- Re: IDS outside of firewall? Henry Hertz Hobbit (Aug 04)
- Re: IDS outside of firewall? Stephen P. Berry (Aug 03)
- <Possible follow-ups>
- Re: IDS outside of firewall? Ryan Russell (Aug 03)
- Re: IDS outside of firewall? Jennifer Galvin (Aug 03)
- Re: IDS outside of firewall? Ryan Russell (Aug 03)
- Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Re: IDS outside of firewall? Jeff Maddox (Aug 04)
- Re: IDS outside of firewall? Marcus J. Ranum (Aug 03)
- Re: IDS outside of firewall? Paul Howell (Aug 04)
- Re: IDS outside of firewall? ark (Aug 05)
- Re: IDS outside of firewall? Joseph S. D. Yao (Aug 06)