IDS mailing list archives
Re: How to choose an IDS/FW MSS provider
From: Richard Bejtlich <taosecurity () gmail com>
Date: Sat, 12 Mar 2005 13:09:59 -0500
On Sat, 12 Mar 2005 10:11:44 -0500, David W. Goodrum <dgoodrum () nfr com> wrote:
But, you're missing the point. What I'm saying is that the two technologies are merging where appropriate, and that it is a GOOD thing, even for large enterprises, not just small ones.
David, I'm not missing the point. I'm making an entirely new one. (In reality, my viewpoint is a decade or more old, but vendors and pundits have apparently forgotten it.) You have to be able to detect an attack to stop it. Layer 3 firewalls detect attacks by inspecting layer 3 headers for prohibited IP addresses or other IP header features. Layer 4 firewalls detect attacks by inspecting layer 4 headers for prohibited ports, flags, and so on. "Layer 5" firewalls detect attacks by tracking sessions. Layer 7 firewalls (aka IPSs) detect attacks by inspecting layer 7 information for prohibited content, protocol inconsistencies, etc. Once detected, firewalls block attacks. I welcome all advancements that make smarter access control decisions. We certainly need them in a world where most hosts (often Windows) can't independently defend themselves! Attack detection, whether for alerting ("IDS") or blocking ("IPS"), can be circumvented. This is not a slam on vendors (much smarter than me), but an acknowledgement of the difficulty of the problem set. Almost every incident response I have performed took place at a facility with an IDS or IPS deployed. Often, neither device had anything useful to say about the incident. When you realize this, the natural next step is to use an access control device to limit what you can and deploy an audit device to keep track of everything else. Forget about "intrusion" or "attack" detection -- simply record everything that happens. You never know what piece of information will yield the clue to investigating an incident. I have not seen a single commercial IDS or IPS perform the sort of network audit needed for post-mortem incident response. If either device is bypassed, the security staff has nowhere to turn. I do not want a single device responsible for both access control and network audit. When an intruder beats a "converged" device, the defender becomes completely blind. These realities form the heart of my network security monitoring theory. I don't think about "intrusion detection" or "intrusion prevention." I think in terms of indications and warnings (usually via an "IDS") and policy enforcement (via an access control device). Sincerely, Richard -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: How to choose an IDS/FW MSS provider, (continued)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- Re: How to choose an IDS/FW MSS provider buineach (Mar 10)
- Re: How to choose an IDS/FW MSS provider Kevin (Mar 11)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- RE: How to choose an IDS/FW MSS provider KoƧ.net (Mar 09)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- RE: How to choose an IDS/FW MSS provider Brady, Rick (Mar 10)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 11)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Adam Powers (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Jason (Mar 19)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 19)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 23)
- Re: How to choose an IDS/FW MSS provider Ron Gula (Mar 24)