[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Intrusion Detection
I have to jump in here because IDS is sounding like it does more bad than good. In reality, most people do not setup their IDS's to reconfigure their firewall on the fly, for fear of blocking legitimate traffic. Those that do, are most likely responding to a previous attack signature and don't want the same thing occuring again. A much more common response is to have the IDS kill the offending connection, thereby affecting users on a connection by connection basis. Unfortunately, you cannot protect from all attacks all the time. How you choose to handle attacks is extremely dependent on your network and resources and liability. Of course there are differing opinions, but my opinion is that if you only have one IDS box to use, place it on the internal or dmz side of your firewall, wherever your important servers are. The reason is that a vast majority of network misuse is perpetrated by internal, rather than external, users. Plus, it can be said that you want to know who got through the front door, rather than just who was knocking. Obviously, if you have the resources, put a second IDS outside the firewall. -----Original Message----- From: Tim Cullen [mailto:[email protected]] Sent: Tuesday, January 16, 2001 11:30 AM To: 'Vitor Manuel Saldanha Ventura' Cc: 'Lance Spitzner'; Jon Vandiveer; [email protected] Subject: RE: [FW1] Intrusion Detection Good points. I agree the IDS should compliment the firewall. There are, however, inherent risks with doing that. Read Lance's thread about automated response systems. I agree with that wholeheartedly. I did leave out the fact that the IDS should be put in front of the firewall also. This will help to prewarn. This is a good thing. I don't think we would be "waiting for the hack". You are being proactive by simply putting the IDS system in the corporate environment anyway. It is so hard to sell the "Heads" on this line of thinking that I view anyone that is able to put an IDS system in to play already acting in a proactive manner. The actual proactive issue with the IDS system comes with a lot of caveots. for example, if you are running an ecommerce site, nowadays who isn't, and one of your customers is coming through an ISP that is having problems with their circuit. The connection can look like a fragmented hack attempt and the firewall can block them from entering the site. Now, move that up a notch. Maybe it is one of your investors and they get a blocked message from the site. This will not be good. Of course this is purely theoretical. Your situations and views may vary. Bottom line is ANY IDS added to your system is good. Just decide what type of features you want and research the products out. Chances are there will be more features than you will know what to do with. -----Original Message----- From: Vitor Manuel Saldanha Ventura [mailto:[email protected]] Sent: Monday, January 15, 2001 11:51 AM To: Tim Cullen Cc: 'Lance Spitzner'; Jon Vandiveer; [email protected] Subject: Re: [FW1] Intrusion Detection I don't think that way, an IDS should complement the firewall job, if possible interact with it. We shouldn't be waitting for the hack to happen ... we should be proactive. If my IDS detect an attack he should be able to reconfigure my firewall to stop that attack. What you said about replacing the damaged page is good but we should prevent that from happening. I think that RealSecure, NFR, or any other good IDS working with FW-1 is a great ideia. But don't forget Lance's remarks about reconfiguring FW-1 rules. And we must be very, very carefull with the false positives, if you are not carefull you can create an DOS waitting to happen. Vitor Ventura Tim Cullen wrote: > > One good thing about IDS systems is that they do not need to be certified to > work with a certain firewall, unless you are trying to put the IDS on the > firewall and at that point I would have to say DON'T DO IT!!!!!! > > NEVER EVER put IDS on the firewall. It is a firewall. It's job is to > protect the front door. A good IDS system can be, and should be, used for > protecting the internal resources. If a WEB server gets hacked, it ewould > be great if the IDS could put on the original page and get rid of the hacked > version. Most of the IDS systems have a basic understanding of this and can > do some smaller tasks like this. > > Some do even more like watch certain directories for changes and replace > changes with original files. Thus the change never happens. Fewer still > have the functionality to talk to the firewalls and write rules according to > certain hack attempts. This one , as you might imagine, is the dangerous > kind. > > But, given the right IDS sytem implimented in the correct way can be very > lethal for the would-be hacker. I have found a direct correlation with, > "you get what you pay for." in this arena. > > My advice is research the commercial products out there. Find the "neat > features" that you like. See if the freeware versions have the options you > want and make a choice that way. The IDS system does not have to be > certified for a specific firewall if you are not asking the IDS to write to > the firewall, (that was the dangerous option). > > Just my opinion, and we all know what opinions are worth. > > Good luck! > > -----Original Message----- > From: Lance Spitzner [mailto:[email protected]] > Sent: Friday, January 12, 2001 6:12 PM > To: Jon Vandiveer > Cc: [email protected] > Subject: re: [FW1] Intrusion Detection > > On Fri, 12 Jan 2001, Jon Vandiveer wrote: > > > Currently there is only ONE certified IDS product for Checkpoint, > > RealSecure. Checkout www.opsec.com > > > > However I have heard that NFR (www.nfr.com) will work with Checkpoint > > > > Just remember that Intrusion Detection is different from Intrusion > Response. > > i.e. Sn0rt does detection, but cannot Block connections; while RealSecure > > can issue commands to FW's and routers. > > When dealing with Unix, one never says the word can't. It is possible > to have snort reconfiure FW-1 rules. > > http://www.enteract.com/~lspitz/intrusion.html > > However, I would be EXTREMELY careful how you can use this feature. > > lance > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== -- Vitor Ventura Systems Engineer [email protected] SIA Portugal Tel: 218497020 <http://www.sia.pt> ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|