> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, 25 October 2000 9:45 AM > To: Ben Nagy > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: Firewall security rule validation via Intrusion Detection > sys tem > > > Ben... > > Not necessarily true, I don't know which of my points you're saying isn't true... > place an IDS sensor outside in your > Dirty Network > (before fw/router) and place an IDS sensor inside.. If we're talking about DMZ then sure, you could do this. For the external link - normally I recommend a packet filtering router. To stick a sensor in front of that it would need to be able to cope with the WAN link. > In most cases, an IDS should pick up the attack if the IDS > application is > designed correctly, and everything else. "In most cases, a firewall should provide the security it says it will, if the firewall application is designed correctly, and everything else." Lots of people probably laughed, then. Why should your statement RE: IDS systems be any less amusing? Lack of trust that things will do what they are supposed to do is the hallmark of the security professional. > A penetration test > is one time > picturesque view of an organization. Correct. However, firewalls are usually fairly static. In any case, failing to verify a firewall configuration once it has been completed is hardly professional. > What happens if the > site comes away > with very little results. >From an audit of the firewall config? Everyone is happy. > Or do you believe in hiring an online security scanning service (i.e. > Global Integrity ) and pay them on a quarterly basis to scan > your network.. That's a whole different debate, and one which I don't intend to have. > > So which is better?? I don't know where you're trying to take this discussion. I'm asserting that using passive IDS tecniques is a very poor way to verify a firewall configuration. The firewall should be installed and then actively tested to make sure that it is performing as expected. Using IDS alerts as a metric for firewall correctness is not, IMO, sensible. I think the role of the IDS is to then sit around and look for suspicious traffic - DMZ hosts scanning the internal firewall, for example. Or traffic that the firewall is not smart enough to know is bad - like cgi attacks against webservers etc. If you want to look at developing an active audit function, where an internal and external IDS try to talk to each other in lots of tricky ways then that could be of value. > > /m > > At 09:21 AM 10/25/00 +0930, Ben Nagy wrote: > >I think you have a logical flaw there. > > > >Many IDS alerts = firewall rules not tight enough (possibly) > >But: > >Few IDS alerts != firewall rules OK. > > > >You're assuming that the attack patterns during the > observation period are > >a) constant and b) uniformly distributed across the gamut of possible > >attacks. > > > >All in all I think that using the IDS as a passive indicator of the > >correctness of the firewall configuration is fraught with > peril. Frankly, > >there's no guarantee that the IDS is even going to pick up > the attack. > > > >I agree that having "impossible" traffic patterns raise > alerts is a good way > >of finding out (after the fact) the the firewall was > configured incorrectly. > >However I would still advocate a direct audit/'penetration > test' of the > >firewall at the completion of the installation. I don't > think an IDS can > >help here with passive/internal techniques. Maybe you could look at > >something active/external? > > Cheers, -- Ben Nagy Network Consultant, Volante Solutions PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
