IDS mailing list archives
RE: Off-Topic: perfect firewall (was Re: IDS is dead, etc)
From: "Carey, Steve T GARRISON" <steven-carey () us army mil>
Date: Mon, 11 Aug 2003 11:49:39 -0500
Your statement: "An environment with a perfect firewall only gets "0-day" (or any other sort) of attacks that are so completely new that no IDS would know to look for them. Only protocols that we _thought_ we understood well, with implementations that we _thought_ weren't going to bite us on the goolies, are allowed in." Only pertains to rule-based IDS. We still use SHADOW for our main IDS and write rules for SNORT based on unusual traffic we see with SHADOW. Doesn't mean that's all we use....since there is no 'silver bullet' IDS (or firewall), we use a suite of IDS tools. If we see something unusual we have ways to look at the data traffic, before we write a rule, to ensure what is going on. With a "0-day" attack it is usually to late to write a rule for either SNORT or a firewall, which is why we have analysts 24/7 reviewing SHADOW logs and following up with logs from other IDS'. Not using analysts to review logs to is (in my personal opinion only) to risky. I can not afford to assume that a firewall or IDS is going to protect my network without a human touch. And as far as I can tell, even with Intrusion Prevention software, there is still a long, long way to go. Steve Carey -----Original Message----- From: Bennett Todd [mailto:bet () rahul net] Sent: Friday, August 08, 2003 11:59 AM To: Sam f. Stover Cc: Barry Fitzgerald; Tom Arseneault; 'Mark Tinberg'; 'Paul Schmehl'; focus-ids () securityfocus com Subject: Off-Topic: perfect firewall (was Re: IDS is dead, etc) 2003-08-08T12:22:21 Sam f. Stover:
How does this address 0-day attacks on services that weren't previously vulnerable?
It doesn't. Nothing does.
Granted a strings searching IDS might not help you there, but a true protocol based IDS like NFR might alert you to something that wasn't an issue before you implemented your "perfect" firewall.
An environment with a perfect firewall only gets "0-day" (or any other sort) of attacks that are so completely new that no IDS would know to look for them. Only protocols that we _thought_ we understood well, with implementations that we _thought_ weren't going to bite us on the goolies, are allowed in.
I guess my real question is how to keep your firewall perfect?
The firewall itself is the easiest part --- it's simple, because it passes few protocols, and they're very very mature ones for which mature, well-maintained, well-designed proxies are available; and it's really only there for defense in depth, because all the network-traffic-touching apps behind the firewall are also well-designed, secure ones with rare and few holes; and you've got aggressive cfg mgmt to make it cheap to rapidly deploy security fixes on the rare occasions when problems are reported with these apps.
The instant you drop it in place, you'll have to stay ahead of every hacker out there to keep it perfect...
Absolutely. It's impossible to do this in an uncontrolled environment. It's possible to do it in a sufficiently tightly-controlled environment with mostly good-quality software allowed to touch network traffic, and the rare bits of unavoidable evil locked tightly in sandboxes. Such an env requires customers willing to tradeoff lack of choices in platform and apps, and limits to categories of apps they'll be permitted to use. In exchange, they get vastly improved availabilty and reduced operating costs.
Also, isn't every IDS implementation an educational tool to some degree?
Sure is. And if I ever am permitted to set up the fantasy perfect firewall, I'll have enough time (and the company will have saved enough money:-) to let me set up that honeypot+ids to keep me on top of things. So yes, when you get right down to it, I was talking about a platonic theoretical ideal, and I can't seem to construct a believable description of an environment where I wouldn't run an IDS. -Bennett --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
Current thread:
- RE: Off-Topic: perfect firewall (was Re: IDS is dead, etc) Carey, Steve T GARRISON (Aug 11)