On Wed, Aug 28, 2002 at 01:33:36PM -0700, Andrew Plato wrote: > > Money, scalability, speed: very nice. Uh, what about security? The > > Symantec product is a "hybrid" firewall (i.e. uses proxies) while > > the others are packet filters. IMHO, that adds security value. > > When it comes to security, I firmly believe that 75% to 90% of > security is in the configuration, management, and use of a product, > not the product itself. All of these firewalls can offer an > exceptional amount of security - provided they are implemented, used, > and managed in a secure manner. Yes. However, the proxy-based firewall solutions offer the ability to require that traffic with destination port 80 is actually http traffic, that traffic with destination port 143 is actually imap, traffic with destination port 25 is actuall smtp, etc. > Furthermore, not all IDS's are passive - "ruin your weekend" - type of > systems. Some IDSs can also kill intrusions at the host, on the > network, or at the gateway. I tend to think of the active response-oriented IDS systems as the sort that will wreck your whole day on occasion. I don't yet feel that we are to the point that automated responses to "hacks" are a good idea -- what about emails discussing code red, or someone retrieving files over http that reference bind exploits .. will your IDS system think that the embedded payload is malicious or not? What happens when active attackers start sending bogon packets with spoofed sources that cause your system to send RSTs to legitimate connections? > This is actually one of my bigger complaints with Snort. As capable as > it is, it has no integrated response capabilities other than to shoot > off alerts. You'd have to custom build a response mechanism for it, > which isn't easy. http://hogwash.sourceforge.net/ -- Too bad life doesn't have a :q! command.
This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 16:04:27 PDT