RE: Odd scans and stuff bouncing off firewalls

From: Edwards, David (JTS) (Edwards.Daveat_private)
Date: Tue Aug 13 2002 - 17:10:18 PDT

Next message: Robert Buckley: "RE: Subseven Scans"

Previous message: Jonathan Rickman: "Re: RPC scans"
Maybe in reply to: Nexus: "Odd scans and stuff bouncing off firewalls"
Next in thread: Robert Buckley: "RE: Subseven Scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

> -----Original Message-----
> From: Craig Billado [mailto:billadocat_private]
> Sent: Wednesday, 14 August 2002 3:20 AM
> Cc: incidentsat_private
> Subject: Re: Odd scans and stuff bouncing off firewalls
> 
> Nexus,
> 
> I agree that there is a lot of overhead maintaining external 
> IDS sensors.
> In the event that the "filtering device" fails, however, 
> subsequent attacks
> into and through the DMZ may be difficult to detect without them.

[snip sweet comment :-]

> If you feel that
> the border firewall is impervious to attack or compromise -- 
> moreover, that 
> the internal sensors are equipped to detect the consequences 
> thereof --
> then I suppose an external sensor can be dismissed. 
> Otherwise, I'd keep one
> out there on the wild-side.

This has all the hallmarks of a religious debate eh..

I've thought long and hard about this and FWIW, the 
conclusion I came up with was this.

IDS is designed to "detect" intrusions which seems to 
imply that it goes behind the devices designed to "block" them, 
else you are installing "Attempted Intrusion Detection Systems".  
Hmmm, I don't think I want to add that to my CV ;-)

A perimeter normally consists of multiple security devices
including an external filter (router) and internal, much
smarter firewall.  So where would you put the external
sensor if you want to see all attack attempts aimed at
you?  

Between the firewall and the filter?  But then it would 
miss most of the port scans if the filter is doing its job.

Outside the filter?  But then you are basically just gathering
stats and dshield already does a brilliant job here.


Each to their own of course.  I can see a need to install 
an external sensor if your business is network security as 
you need to test the efficiency of the IDS sensor, but you are 
just making a rod for you own back if you install them outside 
an ordinary corporate network.  

In any case, logs from the filter and firewall will normally
give you most of the data you want.

ciao



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Robert Buckley: "RE: Subseven Scans"
Previous message: Jonathan Rickman: "Re: RPC scans"
Maybe in reply to: Nexus: "Odd scans and stuff bouncing off firewalls"
Next in thread: Robert Buckley: "RE: Subseven Scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 14 2002 - 09:11:13 PDT