IDS mailing list archives

Off-Topic: perfect firewall (was Re: IDS is dead, etc)

From: Bennett Todd <bet () rahul net>
Date: Fri, 8 Aug 2003 12:59:21 -0400

2003-08-08T12:22:21 Sam f. Stover:

How does this address 0-day attacks on services that weren't
previously vulnerable?


It doesn't. Nothing does.

Granted a strings searching IDS might not help you there, but a
true protocol based IDS like NFR might alert you to something that
wasn't an issue before you implemented your "perfect" firewall.


An environment with a perfect firewall only gets "0-day" (or any
other sort) of attacks that are so completely new that no IDS would
know to look for them. Only protocols that we _thought_ we
understood well, with implementations that we _thought_ weren't
going to bite us on the goolies, are allowed in.

I guess my real question is how to keep your firewall perfect?


The firewall itself is the easiest part --- it's simple, because it
passes few protocols, and they're very very mature ones for which
mature, well-maintained, well-designed proxies are available; and
it's really only there for defense in depth, because all the
network-traffic-touching apps behind the firewall are also
well-designed, secure ones with rare and few holes; and you've got
aggressive cfg mgmt to make it cheap to rapidly deploy security
fixes on the rare occasions when problems are reported with these
apps.

The instant you drop it in place, you'll have to stay ahead of
every hacker out there to keep it perfect...


Absolutely. It's impossible to do this in an uncontrolled
environment. It's possible to do it in a sufficiently
tightly-controlled environment with mostly good-quality software
allowed to touch network traffic, and the rare bits of unavoidable
evil locked tightly in sandboxes.

Such an env requires customers willing to tradeoff lack of choices
in platform and apps, and limits to categories of apps they'll be
permitted to use. In exchange, they get vastly improved availabilty
and reduced operating costs.

Also, isn't every IDS implementation an educational tool to some
degree?


Sure is.

And if I ever am permitted to set up the fantasy perfect firewall,
I'll have enough time (and the company will have saved enough
money:-) to let me set up that honeypot+ids to keep me on top of
things.

So yes, when you get right down to it, I was talking about a
platonic theoretical ideal, and I can't seem to construct a
believable description of an environment where I wouldn't run an
IDS.

-Bennett

Attachment: _bin
Description:

Current thread:

Re: IDS is dead, etc, (continued)
- - - Re: IDS is dead, etc Bennett Todd (Aug 11)
    - Re: IDS is dead, etc Scott Wimer (Aug 11)
    - Re: IDS is dead, etc Bennett Todd (Aug 11)
    - RE: IDS is dead, etc Security Conscious (Aug 11)
    - Re: IDS is dead, etc Jason Haar (Aug 11)
    - Re: IDS is dead, etc Frank Knobbe (Aug 11)
    - RE: IDS is dead, etc Bob Buel (Aug 11)
    - Re: IDS is dead, etc Barry Fitzgerald (Aug 11)
    - Belaboring the point of FPs Paul Schmehl (Aug 12)
    - Re: Belaboring the point of FPs Martin Roesch (Aug 13)
    - Message not available
    - Off-Topic: perfect firewall (was Re: IDS is dead, etc) Bennett Todd (Aug 11)
- RE: IDS is dead, etc JAVIER OTERO (Aug 12)
  - RE: IDS is dead, etc Omar Herrera (Aug 13)
    - Re: IDS is dead, etc Jonathan Rickman (Aug 15)
    - Re: IDS is dead, etc Paul Schmehl (Aug 19)
    - Re: IDS is dead, etc Jonathan Rickman (Aug 21)
- RE: IDS is dead, etc Laurent Demailly (Aug 25)