I think you have a logical flaw there. Many IDS alerts = firewall rules not tight enough (possibly) But: Few IDS alerts != firewall rules OK. You're assuming that the attack patterns during the observation period are a) constant and b) uniformly distributed across the gamut of possible attacks. All in all I think that using the IDS as a passive indicator of the correctness of the firewall configuration is fraught with peril. Frankly, there's no guarantee that the IDS is even going to pick up the attack. I agree that having "impossible" traffic patterns raise alerts is a good way of finding out (after the fact) the the firewall was configured incorrectly. However I would still advocate a direct audit/'penetration test' of the firewall at the completion of the installation. I don't think an IDS can help here with passive/internal techniques. Maybe you could look at something active/external? Cheers, -- Ben Nagy Network Consultant, Volante Solutions PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, 25 October 2000 12:50 AM > To: Ben Nagy > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: Firewall security rule validation via Intrusion Detection > sys tem > > > This more of a discovery tool, not particularly an Intrusion > Detection > system. (i.e. ISS, NFR, NetworkICE, etc). > The whole underlying reason one places a firewall or packet filtering > router between an organization and the Internet is to prevent > would be > intruders. So if the rules on the firewall are lax, that > means your IDS is > system is alerting one all the time, by crafting efficient > rules on your > firewall and therefore observing the number of alerts on your > IDS device > (software or hardware), one can then substantiate that either > the security > rules in place are working as designed or need some work if > the amount of > alerts on the IDS are extremely high. > > Many people forget that an IDS is not just to watch the wire but also > validates that the devices in place are doing their job sufficiently > (hopefully). > > /m > > At 04:24 PM 10/24/00 +0930, Ben Nagy wrote: > >I like to use nmap to externally scan firewalls with various > options. In > >addition I often try a few spot checks using an internal > netcat listener and > >then trying to connect to it from the outside world. > > > >With all the fragmentation problems these days, one should > probably try and > >route the connections to the netcat listener through something like > >fragrouter. > > > >Cheers, > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
