RE: Off-Topic: perfect firewall (was Re: IDS is dead, etc)

["Carey, Steve T GARRISON" <steven-carey () us army mil>]

Your statement:

"An environment with a perfect firewall only gets "0-day" (or any
other sort) of attacks that are so completely new that no IDS would
know to look for them. Only protocols that we _thought_ we
understood well, with implementations that we _thought_ weren't
going to bite us on the goolies, are allowed in."

Only pertains to rule-based IDS.  We still use SHADOW for our main IDS and write
rules for SNORT based on unusual traffic we see with SHADOW.  Doesn't mean
that's all we use....since there is no 'silver bullet' IDS (or firewall), we use
a suite of IDS tools.  If we see something unusual we have ways to look at the
data traffic, before we write a rule, to ensure what is going on.  With a
"0-day" attack it is usually to late to write a rule for either SNORT or a
firewall, which is why we have analysts 24/7 reviewing SHADOW logs and following
up with logs from other IDS'.  Not using analysts to review logs to is (in my
personal opinion only) to risky.  I can not afford to assume that a firewall or
IDS is going to protect my network without a human touch.  And as far as I can
tell, even with Intrusion Prevention software, there is still a long, long way
to go. Steve Carey

-----Original Message-----
From: Bennett Todd [mailto:bet () rahul net]
Sent: Friday, August 08, 2003 11:59 AM
To: Sam f. Stover
Cc: Barry Fitzgerald; Tom Arseneault; 'Mark Tinberg'; 'Paul Schmehl';
focus-ids () securityfocus com
Subject: Off-Topic: perfect firewall (was Re: IDS is dead, etc)


2003-08-08T12:22:21 Sam f. Stover:
> How does this address 0-day attacks on services that weren't
> previously vulnerable?

It doesn't. Nothing does.

> Granted a strings searching IDS might not help you there, but a
> true protocol based IDS like NFR might alert you to something that
> wasn't an issue before you implemented your "perfect" firewall.

An environment with a perfect firewall only gets "0-day" (or any
other sort) of attacks that are so completely new that no IDS would
know to look for them. Only protocols that we _thought_ we
understood well, with implementations that we _thought_ weren't
going to bite us on the goolies, are allowed in.

> I guess my real question is how to keep your firewall perfect?

The firewall itself is the easiest part --- it's simple, because it
passes few protocols, and they're very very mature ones for which
mature, well-maintained, well-designed proxies are available; and
it's really only there for defense in depth, because all the
network-traffic-touching apps behind the firewall are also
well-designed, secure ones with rare and few holes; and you've got
aggressive cfg mgmt to make it cheap to rapidly deploy security
fixes on the rare occasions when problems are reported with these
apps.

> The instant you drop it in place, you'll have to stay ahead of
> every hacker out there to keep it perfect...

Absolutely. It's impossible to do this in an uncontrolled
environment. It's possible to do it in a sufficiently
tightly-controlled environment with mostly good-quality software
allowed to touch network traffic, and the rare bits of unavoidable
evil locked tightly in sandboxes.

Such an env requires customers willing to tradeoff lack of choices
in platform and apps, and limits to categories of apps they'll be
permitted to use. In exchange, they get vastly improved availabilty
and reduced operating costs.

> Also, isn't every IDS implementation an educational tool to some
> degree?

Sure is.

And if I ever am permitted to set up the fantasy perfect firewall,
I'll have enough time (and the company will have saved enough
money:-) to let me set up that honeypot+ids to keep me on top of
things.

So yes, when you get right down to it, I was talking about a
platonic theoretical ideal, and I can't seem to construct a
believable description of an environment where I wouldn't run an
IDS.

-Bennett

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------