IDS mailing list archives
RE: Firewalls (was Re: IDS evaluations procedures)
From: "Swift, David" <dswift () ipolicynetworks com>
Date: Sun, 24 Jul 2005 13:27:31 -0700
Fair enough. I agree, no single product is going to block everything. Still a Unified Threat Management (UTM), device like iPolicy Intrusion Prevention Firewalls, (sorry, required minimal company plug), can go a long way toward a good defense. Some form of Firewall, and IDS/IPS are essential on the un-policed Wild Wild Web. Like you mentioned, I always install Tripwire, or Auditing services on internal hosts just in case something snuck through. Other products like SolidCore attempt to lock the entire OS/Executing code set, and could be useful as well for critical systems with static configurations. And of course there are application specific/data scrubbing systems like NetContinuum that I would deploy to filter outbound content from web servers. After 15 years in networking, I've become OS & System agnostic, I just try to deploy a combination based on the value of data, the customer budget, and the potential threats to it. Can't always get a Rolls Royce when the budget is for a Kia. -----Original Message----- From: Richard Bejtlich [mailto:taosecurity () gmail com] Sent: Friday, July 22, 2005 6:23 PM To: Swift, David Cc: Mike Barkett; Nick Black; focus-ids () securityfocus com Subject: Re: Firewalls (was Re: IDS evaluations procedures) On 7/22/05, Swift, David <dswift () ipolicynetworks com> wrote:
Right up front, I'll admit I work for a vendor, but... 1. There are a growing number Intrusion Detection/Intrusion Prevention Systems that have integrated firewall. 2. IPS is a significant step in the right direction, and does things a firewall can't. If you have doubts, try using Firewalker to pinpoint holes in your firewall, and map network devices PAST the firewall perimeter. If I can find them, I can attack them. Then craft a few attacks with Nessus and send a fragmented attack right on through the firewall at a given target. iPolicy started a company with the premise that security integration
was
where things were headed. We built a good firewall, that after 5 years of revisions now has an easy to use interface, AND we incorporate a
good
IDS/IPS engine.
Hi David, All good points. If you can get past firewalls using various techniques, I'm sure others can bypass even your product, right? This is not an attack against you or any other prevention vendor. The unfortunate reality is that at some point a smart, unpredictable intruder will figure out how to bypass your prevention mechanism. Where does that leave an integrated/converged security device? Will it have any record at all that it was beaten? Probably not -- if it knew what was happening, it would have blocked the attack, correct? The problem I see with most security vendors is their assumption that they can even identify attacks properly. This is a problem because detection or prevention requires accurate attack identification. I gave up on perfect attack detection years ago, but I did not give up on intrusion detection or prevention as necessary parts of the security process. I am glad you and other vendors still work on this very tough problem! For my part, I try to identify when my preventative system has failed via policy enforcement failure detection. If that doesn't work, I'm also performing network transaction logging. Once I know (by non-technical means, perhaps) that I'm compromised, I have network-based evidence to guide my incident response and remediation process. I don't see do-it-all-in-one security appliances approaching the problem this way. I guess my view is biased because I do incident response for a living, and I constantly deal with failed security mechanisms. (Unfortunately for my clients,) I am as busy now (with all the great new gear we have) as I was seven years ago when I started. Sincerely, Richard http://www.taosecurity.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Firewalls (was Re: IDS evaluations procedures), (continued)
- RE: Firewalls (was Re: IDS evaluations procedures) Kyle Quest (Jul 22)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Sanjay Rawat (Jul 26)
- Re: Firewalls (was Re: IDS evaluations procedures) Martin Roesch (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Jason (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Stefano Zanero (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 25)
- RE: [Bulk] Re: Firewalls (was Re: IDS evaluations procedures) Bill Royds (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Omar Herrera (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 26)
- Re: Firewalls (was Re: IDS evaluations procedures) Sanjay Rawat (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 27)
- RE: Firewalls (was Re: IDS evaluations procedures) Ha, Jason (Jul 27)