IDS mailing list archives
Off-Topic: perfect firewall (was Re: IDS is dead, etc)
From: Bennett Todd <bet () rahul net>
Date: Fri, 8 Aug 2003 12:59:21 -0400
2003-08-08T12:22:21 Sam f. Stover:
How does this address 0-day attacks on services that weren't previously vulnerable?
It doesn't. Nothing does.
Granted a strings searching IDS might not help you there, but a true protocol based IDS like NFR might alert you to something that wasn't an issue before you implemented your "perfect" firewall.
An environment with a perfect firewall only gets "0-day" (or any other sort) of attacks that are so completely new that no IDS would know to look for them. Only protocols that we _thought_ we understood well, with implementations that we _thought_ weren't going to bite us on the goolies, are allowed in.
I guess my real question is how to keep your firewall perfect?
The firewall itself is the easiest part --- it's simple, because it passes few protocols, and they're very very mature ones for which mature, well-maintained, well-designed proxies are available; and it's really only there for defense in depth, because all the network-traffic-touching apps behind the firewall are also well-designed, secure ones with rare and few holes; and you've got aggressive cfg mgmt to make it cheap to rapidly deploy security fixes on the rare occasions when problems are reported with these apps.
The instant you drop it in place, you'll have to stay ahead of every hacker out there to keep it perfect...
Absolutely. It's impossible to do this in an uncontrolled environment. It's possible to do it in a sufficiently tightly-controlled environment with mostly good-quality software allowed to touch network traffic, and the rare bits of unavoidable evil locked tightly in sandboxes. Such an env requires customers willing to tradeoff lack of choices in platform and apps, and limits to categories of apps they'll be permitted to use. In exchange, they get vastly improved availabilty and reduced operating costs.
Also, isn't every IDS implementation an educational tool to some degree?
Sure is. And if I ever am permitted to set up the fantasy perfect firewall, I'll have enough time (and the company will have saved enough money:-) to let me set up that honeypot+ids to keep me on top of things. So yes, when you get right down to it, I was talking about a platonic theoretical ideal, and I can't seem to construct a believable description of an environment where I wouldn't run an IDS. -Bennett
Attachment:
_bin
Description:
Current thread:
- Re: IDS is dead, etc, (continued)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- RE: IDS is dead, etc Security Conscious (Aug 11)
- Re: IDS is dead, etc Jason Haar (Aug 11)
- Re: IDS is dead, etc Frank Knobbe (Aug 11)
- RE: IDS is dead, etc Bob Buel (Aug 11)
- Re: IDS is dead, etc Barry Fitzgerald (Aug 11)
- Belaboring the point of FPs Paul Schmehl (Aug 12)
- Re: Belaboring the point of FPs Martin Roesch (Aug 13)
- Message not available
- Off-Topic: perfect firewall (was Re: IDS is dead, etc) Bennett Todd (Aug 11)
- RE: IDS is dead, etc Omar Herrera (Aug 13)
- Re: IDS is dead, etc Jonathan Rickman (Aug 15)
- Re: IDS is dead, etc Paul Schmehl (Aug 19)
- Re: IDS is dead, etc Jonathan Rickman (Aug 21)