> -----Original Message----- > From: Frank Knobbe [mailto:[EMAIL PROTECTED]] > > -----Original Message----- > > From: Ben Nagy [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, October 24, 2000 7:39 PM > > > > [...] > > I think the role of the IDS is to then sit around and look > > for suspicious > > traffic - DMZ hosts scanning the internal firewall, for > > example. Or traffic > > that the firewall is not smart enough to know is bad - like > > cgi attacks > > against webservers etc. > > > > If you want to look at developing an active audit function, where > > an internal and external IDS try to talk to each other in lots of > > tricky ways then that could be of value. > > I think an IDS can play a valid role in verifying a firewall policy. And I don't. As I guess is obvious. > Consider this example: On my firewall, I configured ICMP rules in a > way where I can send pings out, but only replies are allowed back in. > The firewall effectively filters incoming ping request, source > quenches and everything else that is not a reply (I want to be able > to do traceroutes and pings through the firewall, hence the rules). > > An nMap test showed that the firewall is secure... at least so I > thought. Imagine my surprise when my snort sensor behind the firewall > picked up a fake ICMP reply (snort identified that as some trojan > backdoor communication attempt). But you _knew_ that you were allowing unsolicited ICMP echo_replies. In this case the IDS hasn't alerted you to anything at all. It has merely logged traffic that is allowed but suspicious. Look at it this way - in the time before you received this alert (nobody had yet tried this trick) were you then assuming that your configuration was "verified"? Of course not! It was sitting there all the time with a hole in it that you hadn't thought of. All an IDS can do is alert you, after the fact, that either the firewall is faulty or that you made a config error. That's _not_ verification. Verification is where you outline a set of expected behaviour and test against those expectations BEFORE the problems arise. > However, you can use the IDS to work together with your firewall to > enhance its security. I have a snort sensor inside (and for testing > also outside) the firewall. I wrote a few scripts that monitor snort > alerts[...and do cool stuff...] This is a good idea, and a good use of an IDS. > So the IDS does not only provide a sanity check for the level of > security on the firewall, but it actively takes a part in the > firewall security. Isn't that the way it's supposed to work ;) Yes and no. I still claim that a lack of IDS alerts gives no valid indication that the firewall is behaving as expected. If you accept that claim then I think that my assertion that IDS systems are not verification tools is watertight. It's simple logic: - Many IDS alerts -> firewall bad does not imply the converse that Few IDS alerts -> firewall good. > Regards, > Frank Cheers, -- Ben Nagy Network Consultant, Volante Solutions PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
