Firewall Wizards mailing list archives
Re: Scanner and Firewall?
From: Robert Graham <robert_david_graham () yahoo com>
Date: Tue, 13 Jul 1999 18:24:05 -0700 (PDT)
--- John Nanas <JohnN () review com> wrote:
do I need scanning software in addition to the firewall? I know that FW-1 has pretty comprehensive software (much more than I've taught myself to use, thus far) with all the logging, but do I gain something by adding another scanner to the firewall box?
The word "scanner" typically implies a product that searches for vulnerabilities by sending packets at the firewall from another box. (SATAN, Nesus, nmap, etc.) I think you are talking about an "intrusion detection system" (IDS). This is a program that watches network traffic and looks for hacking signatures. A common misconception is that intrusion-detection-systems (IDS) get their data from firewalls. While there are some the process firewall logs, generally a log file is too "processed" to provide good information. IDSs require the original "raw" traffic in order to opperate well. In other words, while you can usually install an IDS on the same box as the firewall (in which case both watch the raw traffic), you are probably better off installing it on a separate box that watches the same wire. A common scenario is an IDS in front of the firewall to detect attempts, and another IDS behind to detect successful breaches of the firewall. As to whether you "gain" something by having an IDS, a study by the Computer Security Institute (gocsi.com) found that 30% of large companies have had their firewalls breached. Even if you have a firewall, you typically leave important services open. The firewall won't detect or block "buffer-overflow" attempts against those services, but an IDS will detect them. If you are curious, I explain this in detail in my FAQ at: http://www.robertgraham.com/pubs/network-intrusion-detection.html#7.4 (bias: I now work for one of the vendors mentioned in the document, Network ICE). Rob. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- Scanner and Firewall? John Nanas (Jul 13)
- <Possible follow-ups>
- Re: Scanner and Firewall? Robert Graham (Jul 14)
- RE: Scanner and Firewall? Henry Sieff (Jul 14)