RE: Odd scans and stuff bouncing off firewalls

From: Edwards, David (JTS) (Edwards.Daveat_private)
Date: Tue Aug 13 2002 - 17:10:18 PDT

  • Next message: Robert Buckley: "RE: Subseven Scans"

    > -----Original Message-----
    > From: Craig Billado [mailto:billadocat_private]
    > Sent: Wednesday, 14 August 2002 3:20 AM
    > Cc: incidentsat_private
    > Subject: Re: Odd scans and stuff bouncing off firewalls
    > Nexus,
    > I agree that there is a lot of overhead maintaining external 
    > IDS sensors.
    > In the event that the "filtering device" fails, however, 
    > subsequent attacks
    > into and through the DMZ may be difficult to detect without them.
    [snip sweet comment :-]
    > If you feel that
    > the border firewall is impervious to attack or compromise -- 
    > moreover, that 
    > the internal sensors are equipped to detect the consequences 
    > thereof --
    > then I suppose an external sensor can be dismissed. 
    > Otherwise, I'd keep one
    > out there on the wild-side.
    This has all the hallmarks of a religious debate eh..
    I've thought long and hard about this and FWIW, the 
    conclusion I came up with was this.
    IDS is designed to "detect" intrusions which seems to 
    imply that it goes behind the devices designed to "block" them, 
    else you are installing "Attempted Intrusion Detection Systems".  
    Hmmm, I don't think I want to add that to my CV ;-)
    A perimeter normally consists of multiple security devices
    including an external filter (router) and internal, much
    smarter firewall.  So where would you put the external
    sensor if you want to see all attack attempts aimed at
    Between the firewall and the filter?  But then it would 
    miss most of the port scans if the filter is doing its job.
    Outside the filter?  But then you are basically just gathering
    stats and dshield already does a brilliant job here.
    Each to their own of course.  I can see a need to install 
    an external sensor if your business is network security as 
    you need to test the efficiency of the IDS sensor, but you are 
    just making a rod for you own back if you install them outside 
    an ordinary corporate network.  
    In any case, logs from the filter and firewall will normally
    give you most of the data you want.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed Aug 14 2002 - 09:11:13 PDT