Nexus,
I agree that there is a lot of overhead maintaining external IDS sensors.
In the event that the "filtering device" fails, however, subsequent attacks
into and through the DMZ may be difficult to detect without them.
Unfortunately, most architectures are not unlike a good dessert bar:
"crunchy on the outside, chewy on the inside." If an attacker can get
through the perimeter, subsequent attacks are often easily hidden and
poorly defended against. During certain investigations, I have found the
logs from external sensors to be helpful in this regard. If you feel that
the border firewall is impervious to attack or compromise -- moreover, that
the internal sensors are equipped to detect the consequences thereof --
then I suppose an external sensor can be dismissed. Otherwise, I'd keep one
out there on the wild-side.
Sincerely,
Craig L. Billado, CISSP
There are 10 kinds of people in the world: those who understand binary, and
those who don't.
[DISCLAIMER: Craig's opinions do not necessarily represent those if IBM,
its subsidiaries or business partners.]
"Nexus"
<nexusat_private-w To: <incidentsat_private>
ay.co.uk> cc:
Subject: Odd scans and stuff bouncing off firewalls
08/13/2002 09:57
AM
Just a quick straw poll to see if anyone has any hard data that supports
the
logging and analysis of traffic that bounces off of filtering devices as
part of a business security plan ? Other than generating attack metrics
to
wave under the noses of senior managment at budget time, is there any
definite _business_ requirement to have IDS sensors outside the firewall or
firewall "drop" logs et al regularly examined in the context of "external"
attack sources ?
"We defended against X bazillion hack attacks last year so we need a
bigger
budget for more stuff.."
BableFish (H2G2 version) : "Tons of port scans and worms from non
accountable netblocks bounced off of the firewall"
I don't bother to chase anything from anywhere unless it makes it through
the filters because I could care less and it would IMHO purely be a time
sink and even then only if it's from a netblock that has a whois abuse@
entry. As I said, this is purely my own view, on my own network knowing
the sheer amount of background radiation on the internet, so I would
appreciate some other points of view.
Cheers.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 11:24:25 PDT