-----BEGIN PGP SIGNED MESSAGE----- 1. All traffic to the internet goes through the firewall. 2. Most of the non-internet traffic hits one of our internal servers. This allows us to cover all this traffic with host based systems on the firewalls and internal servers. This still has a gap in coverage in that there is no way to prevent an attack from one desktop to another (i.e. customer service attacking the CEO's desktop) As for the performance, etc of running a full IDS system on the firewall. The performance issue can be delt with by buying a bigger machine for the firewall (in our case the bandwidth isn't that high) and the security issue is a trade-off and a judgement call as to how much you trust the IDS system. IMHO you _really_ need to be able to trust your IDS system as much as you do your firewalls or you are wasting your time putting it in. David Lang On Wed, 14 Jul 1999, Lance Spitzner wrote: > Date: Wed, 14 Jul 1999 11:49:24 -0400 (EDT) > From: Lance Spitzner <spitznerat_private> > To: David Lang <dlangat_private> > Cc: Matt Dunn <mattat_private>, firewall-wizardsat_private > Subject: Re: The devil's in the details > > On Tue, 13 Jul 1999, David Lang wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > I am in a similar situation and decided that the only way to do IDS was to > > bite the bullet and put host-based IDS on each of my internal servers. > > this will not protect one desktop from being hacked by another, but will > > protect my servers (and yes it can get VERY expensive) > > You can do simple IDS with your firewall. Since all traffic goes through > there (assumption), this is a good place to start. You can't fire up a > serious IDS system, such as NFR or Real Secure, because of performance > and potential security issues (the less on the FW, the better). However, > you can setup basic FW rules and/or log filters that detects ports scans > and network sweeps. This won't catch everybody, but it is a great place > to start. If nothing else, show management all the scans/sweeps you > are detecting to validate the need ($$$) for a real IDS system. > > I've had great success doing this with FW-1. > > Lance Spitzner > http://www.enteract.com/~lspitz/papers.html > Internetworking & Security Engineer > Dimension Enterprises Inc > > "If users are made to understand that the system administrator's job is to make computers run, and not to make them happy, they can, in fact, be made happy most of the time. If users are allowed to believe that the system administrator's job is to make them happy, they can, in fact, never be made happy." - -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA '97) -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBN4y2Nj7msCGEppcbAQHw8wf+O1/2MfehnxQwolVvNw3N0RhN5+vSs2Im ZY3CiCOK2CWiWtsfRPTg0E5YudSWe6Z2z+f0dE7Ohiw9GyWsmbIdvAWu37z3LkTI OM1u1om9SPvrO4ifz5t6ESxKJBbq9d+cpjvKtmLXKsfGAlgOp2iYSDzFEyA0W+4n jiKcvXy8dfw8OmdC1zb7qH7BhiBVNnp8Vhu+2JAEwGDSGUDregXXDUTIXmzOXSnc HdrKLtuTn4paeaCeeTCi8RQd8wdcR50bh59Gest4qo1cyWze+mDS8/7e9jmu+hJa +jpIFEzyiUqt9QIjvKgORtURQd/7xgohgVc3Ydudh4ATbH+M+pLP7g== =GKht -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:33:14 PDT