Wouldn't installing an IDS outside the fw, be
setting yourself up for alert hell? I would rather
setup the IDS inside(agent or network based)
the fw to monitor that which was allowed, so
I could detect attacks that made it through.
Your thoughts?
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> "Carric Dooley" <[EMAIL PROTECTED]> 8/17/00 10:57:07 PM >>>
>
>makes a good case for installing IDS outside your firewall, does it not?
>=)
>
>----- Original Message -----
>From: "Frank Knobbe" <[EMAIL PROTECTED]>
>To: "'Carric Dooley'" <[EMAIL PROTECTED]>;
><[EMAIL PROTECTED]>
>Sent: Wednesday, August 16, 2000 3:26 PM
>Subject: RE: [FW1] Inbound, outbound, or eitherbound?
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hmmm... I just read again in the FW-1 manual following on Accept
>> Outgoing Packets:
>>
>> Accept Outgoing Packets - Accept all outgoing packets (from the
>> Firewall, not from the internal network).
>>
>> On gateways, rules are usually enforced in the inbound direction
>> only. When a packet passing through the gateway leaves the gateway,
>> it will be allowed to pass only if one of the following conditions is
>> true:
>>
>> * The Accept Outgoing Packets property is checked.
>> * Rules are enforced both directions (eitherbound), and there is a
>> rule which allowed the packet to leave the gateway.
>>
>> Then it references the drawing and addtl information in the
>> Architecture manual, which basically states what you have written.
>>
>> Given that, am I the only one feeling uncomfortable with Inbound only
>> since packets originating from the firewall to the outside would go
>> unchecked? Assuming that usually (!) nothing is running on the
>> firewall and no user is working on it, there are still packets that
>> the FW itself creates and sends out, as in authentication and VPN
>> traffic. Wouldn't it be possible for exploits to go unnoticed if no
>> rules has been set to monitor/filter outgoing data? In order to
>> enforce those rules, Eitherbound would need to be selected.
>>
>> Am I just too paranoid, or does anyone else think it might be a good
>> idea to keep an eye on traffic leaving the firewall, and hence use
>> Eitherbound?
>>
>> Regards,
>> Frank
>>
>> > -----Original Message-----
>> > From: Carric Dooley [mailto:[EMAIL PROTECTED]]
>> > Sent: Monday, August 14, 2000 12:46 PM
>> > To: Frank Knobbe; 'Padden, Greg';
>> > [EMAIL PROTECTED]
>> > Subject: Re: [FW1] Inbound, outbound, or eitherbound?
>> >
>> >
>> > My understanding of eitherbound is on which interface the
>> > policy is applied
>> > to the traffic.... example:
>> >
>> > If you have IF_A as your internal interface, and IF_B as
>> > your external, if
>> > you set your policy for "Inbound", packets coming from the
>> > public network
>> > would be filtered at IF_B (the inbound interface for that
>> > direction). An
>> > outbound policy would evaluate the traffic from the outside
>> > at IF_A as the
>> > traffic leaves the firewall. "Eitherbound" means the packets
>> > have to pass
>> > through the policy at BOTH interfaces doubling the amount of
>> > work for the
>> > firewall (at least from policy perspective) for each packet.
>> > This is the
>> > most secure, but if you are pushing a lot of traffic, not
>> > ideal. I would
>> > typically set that property for "inbound" myself. If you set it
>> > for "outbound" a DoS (from the outside) would affect the firewall
>> > itself because the traffic is not analyzed until it hits the
>> > internal interface (IF_A). Eitherbound is overkill in a lot of
>> > situations, but inbound means if someone attacks the firewall, it
>> > has to make it through the policy, and the same would apply for
>> > traffic from the internal network out (evaluated before it passes
>> > through the firewall).
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
