I know that I'm kicking a dead horse, but just one question... Marcus J. Ranum says: > What's interesting in this example (the firewall) is the >assumption that your IDS can understand what "correct" behavior >of the firewall is. What that means is that you'd be able to >invert the firewall's policy, or somehow have an IDS that was >coupled to your understanding of what should and should not >work through the firewall. That's what I've been calling this >"policy-based IDS" stuff: when you know a priori what should and >shouldn't happen and look for cases where what shouldn't happen >is happening. Can't this be done with two firewalls in series? Both firewalls would have the same rule set, with one exception. The outer firewall has a default deny rule that simply drops stuff. The inner firewall, has a default deny rule that drops stuff, and sets off an alarm to the administrators. If the administrators ever get an alarm from the inner firewall, they know that the outer firewall is permitting things it shouldn't, or that the rulesets are out of sync. This could even be done, crudely, with a router as the outer firewall. This is not, by any means, perfect. But isn't this a rudimentary policy based IDS? -- Mark Horn <mhornat_private> PGP Public Key available at: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:43 PDT