Mark Horn [ Net Ops ] wrote: >Can't this be done with two firewalls in series? Both firewalls would >have the same rule set, with one exception. The outer firewall has a >default deny rule that simply drops stuff. The inner firewall, has a >default deny rule that drops stuff, and sets off an alarm to the >administrators. If the administrators ever get an alarm from the inner >firewall, they know that the outer firewall is permitting things it >shouldn't, or that the rulesets are out of sync. This could even be done, >crudely, with a router as the outer firewall. That sounds like it'd work great. Several times I've suggested that folks do exactly that kind of thing, usually relying on screening/logging on routers behind the firewall, to detect apparent policy mismatches between what the firewall should be allowing and what it is allowing. >This is not, by any means, perfect. But isn't this a rudimentary policy >based IDS? Sure is!!! Based on some discussions I've had offline I'm going to stop using the "policy" word around IDS' and call them "burglar alarms" instead. It really *IS* a burglar alarm model: you know what shouldn't happen and you look for and alarm for it. That's much more of a true "intrusion detection" than an "attack detection" because the burglar alarm will not fire unless there's a clear violation of what you expect to be seeing. The effectiveness of burglar alarms will be bounded at the top end by the user's ability to clearly state what should and should not be going on within their network. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:44 PDT