I think that this discussion is blurring the lines on perimeter defense and in-depth, etc. here is my take on it: Put up the most secure firewall you can to prevent penetration from the outside. Use IDS to monitor internal threats and threats to partially visible areas (service networks, extranet, shared resources between business partners) - depending on who you ask the numbers may vary but the consensus is that most attacks come from inside. That is where you need to know about it and be able to take action. Very seldom is the case where you need to gather data on some Brazilian dude with a cable modem scanning you for netbus :) Jordan |---------+----------------------------> | | Crispin Cowan | | | <crispin@private| | | m> | | | Sent by: | | | owner-crime@private| | | x.edu | | | | | | | | | 08/28/2002 06:37 | | | PM | | | | |---------+----------------------------> >----------------------------------------------------------------------------------------------------------------------------------------------| | | | To: Andrew Plato <aplato@private> | | cc: crime@private | | Subject: Re: CRIME Checkpoint versus Sonicwall | >----------------------------------------------------------------------------------------------------------------------------------------------| Andrew Plato wrote: >>Yes. However, the proxy-based firewall solutions offer the ability to >>require that traffic with destination port 80 is actually http traffic, >>that traffic with destination port 143 is actually imap, traffic with >>destination port 25 is actuall smtp, etc. > > Proxy-based firewalls are also a hell of a lot slower than stateful > packet firewalls. > Except for web caching proxies, which actually accelerate performance. > They also can hide the details of the outside world, making IDSs > unusable inside your network. > Isn't it just *tragic* that the firewall is filtering the attacks to keep them on the outside :) I am truly mystified by this comment; keeping attacks out is a *good* thing. If you want to see what's going on outside, put your IDS sensor out there. Just be prepared to put up with a *lot* of noise. Or just get rid of the firewall, you weren't using it anyway :) > Personally, I find that a good stateful firewall can filter out all > the junk and handle authentication and monitoring. And then a well > tuned IDS can focus in on the traffic and what it is trying to do. The > two working together can form a rather significant barrier to hacker > scum. It also creates a "separation of duties" the firewall does its > job and the IDS does its job. You don't have one unit (hence a single > point of failure) trying to do both. > No, you have two points of failure, and if either of them fails, you become insecure. This is not an improvement over the single point of failure. > Again, this is all a matter of configuration, management, and use. > Poorly implemented, an active response IDS can cause trouble > regardless of who makes it. Properly implemented, it can really cut > down on attacks. > Even properly implemented, an IDS causes a great deal of noise and requires expert human monitoring. You can either hire analysts to do it, or you can hire an outsourcing company to monitor your IDS. But if you deploy an IDS and then largely ignore it, you get zero value. > One other thing to consider the type of IDS. Most IDSs are merely > pattern recognition engines. They see a pattern, they block based on a > rule fed into the system. The IDS's I support and use are full-on > protocol analyzers. They know the difference between an email with an > attachment and HTTP traffic - and can make intelligent decisions about > that traffic based on their rules. These IDSs know that an email with > the letters "AAAAAA" repeated are not a threat, but an HTTP payload > with code red attributes is. Also, spoofing is an issue that any > system would have problems with. And generally you setup an IDS with > policies to ensure internal addresses are treated differently than > external addresses. > That degree of protocol analysis sounds an awful lot like a proxy firewall. > Once again, this is an area where Snort is extremely difficult to use > because there is no centralized policy creation and management system > as well as a reporting mechanism. Something that virtually all the > commercial products - even Sourcefire's commercial product - has. > Effective IDS is fundamentally a signature subscription business, so you are better off getting your IDS from a commercial supplier, even if the product has an open source basis. >> This is actually one of my bigger complaints with Snort. As capable as >> it is, it has no integrated response capabilities other than to shoot >> off alerts. You'd have to custom build a response mechanism for it, >> which isn't easy. > >>_http://hogwash.sourceforge.net/_ > > Hogwash is pretty good, but have you ever actually put one in place? > Its no easy task. Its takes months to tune the system, and it is still > worthless against day zero exploits. > ALL IDS's are worthless against zero day exploits. Anyone who tells you different is smoking their marketing literature :) Furthermore, IDS's can be trivially fooled into not detecting even old attacks with packet fragmentation tricks (see "SnortFrag"). > It also must operate in-line, which means performance degradation. > ALL "blocking" IDS's (signature firewalls) must operate in-line, degrading performance. > Also the active response features in Snort are very limited in > capability and require the user to go through every new signature and > assign a response. That can take a very, very long time. > Which is what commercial vendors are for. > The IDSs I use are passive, taps that can respond with RST packets - > hence no performance degradation. > Which won't save you from attacks that hit with a single packet. > The Guard unit I mentioned is an in-line solution. But on the right > platform, it sings. Considering its the same engine that ISS uses for > their Gigabit IDSs > It seems like you are way over-stating the effectivenss of IDS's. IDS's are a good force-multiplier for an organization committed to human intrusion monitoring. They are not assured to even detect attacks that they have a signature for. They *are* assured to generate noisy false positive reports that humans have to sift. They are no substitute for effective security, only an incremental improvement. On the other hand, IDS's sure do create a lot of activity. Graphs, trends, exciting/eleet action. If your goal is to *look* like you're doing something about security, then IDS's are great! :-) Perhaps that's why they get so much attention right now. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 14:00:31 PDT