Andrew Plato wrote: > > Money, scalability, speed: very nice. Uh, what about security? The > > Symantec product is a "hybrid" firewall (i.e. uses proxies) while the > > others are packet filters. IMHO, that adds security value. > > When it comes to security, I firmly believe that 75% to 90% of > security is in the configuration, management, and use of a product, > not the product itself. > That depends on the product. Some products (cars, hammers, guns) are much easier to use badly than others (band-aids, apples, plush toys). A firewall, in particular, is a configuration engine, so in this case its correct configuration is critical to its security. However, the *expressiveness* of the configuration engine strongly impacts the correctness of the configuration: a proxy firewall tends to "fail closed", causing lack of network access. A packet filter tends to "fail open", tending to create security vulnerabilities. > >That is also a role for secure operating systems (our products). IDS > >just tell you that you've just been had, and you're about to have a bad > >weekend :) > > Yes, I agree. There is a place for secure operating systems. But IDS > can start to deliver information about what's going on, on your > network. Firewalls and secure OS components may keep hackers out. But > and IDS has the unique job of telling you if anybody is even trying. > Moreover, good IDSs have the capabilty to archive intrusion data, > hence giving you evidence of an intrusion. > True. But you have to be willing to invest the effort in hiring security analysts to look at the data the IDS is generating. > Furthermore, not all IDS's are passive - "ruin your weekend" - type of > systems. Some IDSs can also kill intrusions at the host, on the > network, or at the gateway. > Elsewhere <http://honor.icsalabs.com/pipermail/firewall-wizards/2002-August/012771.html>, I have *vehemently* argued that "blocking IDS" (also known as "intrusion prevention" or "inline IDS") are *bullshit* terms designed to distract customers from the fact that this IDS is now acting in the capacity of either a firewall (for "blocking" NIDS) or secure operating system (for "blocking" HIDS). The problem is that IDS are flakey: they have a significant false-positive rate. If you turn an IDS into a blocking IDS, you either get a huge false-positive problem (if you think Raptor's proxies are fussy, you ain't seen nothin' yet) or you have to turn the IDS's sensitivity *way* down. People should be aware of what they are buying: "blocking NIDS" should be properly called "signature firewalls", and compared against firewall solutions. To some extent, industry is now recognizing this; Netscreen (a firewall vendor) is acquiring OneSecure (an IDS vendor) to produce an integrated gateway solution. At least it will be recognizable as a firewall with IDS stuff in it. > This is actually one of my bigger complaints with Snort. As capable as > it is, it has no integrated response capabilities other than to shoot > off alerts. You'd have to custom build a response mechanism for it, > which isn't easy. > You should check out Inline Snort (nee Hogwash). This is precisely what you describe: Snort with blocking capability, basically Snort acting as a nifty, signature-based firewall. As above, they turned the sensitivity of Snort way down, so that it only blocks things that they are damned sure are intrusions. > Clearly there is a place for all these products. The real question in > many people's minds are: what is necessary and what can I afford? > That's a much harder question to answer. > Agreed. But IMHO IDS is on the expensive end of the spectrum. Not because the technology is expensive (Snort is free, and arguably better than most commercial solutions) but because of the expense of the human incident analysts necessary to get any value out of IDS. IDS's are just machines that spit out lists of suspicious events; you have to have humans monitor them, or you might as well not bother. If you just want moderate, affordable security, stick strictly to preventive technologies (firewalls, strong authentication, VPNs, vulnerability scanners, and secure OS's) and leave the IDSs to people with money to burn on security. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 17:24:28 PDT