Hi, Adam and all,

I kind of have a different view on firewalls vs. IDS/IPS.

Let's take a look at the real world. We have walls around buildings and
houses, and we also have those monitoring devices outside of the walls
and inside of the walls. It is clear that those walls in real world
blocks burglars, but it is arguable if those monitoring devices worth
it. Every house has a wall and everyone knows it works. It is much
harder from those security device companies to prove their home
monitoring devices to people.

Now, let's look at the Internet world. We have firewalls and IDS/IPS. It
is much clear for people to see the work that firewalls have done and it
is the same doubt in people's mind on IDS/IPS as those security
monitoring devices. One thing we kind of ignored here is that the human
behind the monitoring devices. When we are shopping for a home security
service, we are not just looking at those devices those company install
but also how the company take care of the output from those devices. The
same issue exists for the IDS/IPS devices. The system admin or security
admin behind the IDS/IPS devices have to be considered. Without a
skillful security guy looking at the outputs from the IDS/IPS, the
IDS/IPS is almost worthless as a monitoring device without real people
looking at the monitors. IDS/IPS is valuable when the output from them
are investigated and watched.

Just my 2 cents.
Thanks,
-Xiaoyong

On Mon, 2004-02-23 at 15:09, SecurIT Informatique Inc. wrote:
> At 06:53 PM 21/02/2004, Olaf Gellert wrote:
>
> >Hi Andrew and all,
> >
> >Well, it seems to be like this: If you buy a firewall, you buy
> >a definite plus in security. Even if you have to open it for
> >some more ports than you would like, each blocked packet
> >is a plus of security. If you install an IDS, you have nothing.
> >You have a system that gathers huge amounts of information.
> >This information has to be evaluated and so on, so the system
> >does not add to your security in the first place, but it
> >generates additional workload.
> >
> >It is even worse: The system does not make people feel
> >better (like a firewall), but it may show you all the
> >dangers coming from the net and the vulnerability of
> >you own network. So a big part of this is simple
> >psychology.
>
> Well, shoot me if I'm wrong, but putting the NIDS sensor behind the
> firewall instead of in front of it (as you seem to imply) should BOTH
> reduce the numbers of "dangers" that you should normally care about (since
> the FW already blocks the one we don't have to care about), and fill in the
> gap left by the false sense of security firewalls give (a firewall makes
> people fell better, that has to be the worst reason I ever heard to
> purchase a firewall) by applying intrusion detection techniques to the
> traffic that the firewall has let pass thru. Because firewalls let traffic
> pass thru, or else you wouldn't need a firewall at all since you'd be
> better off without an Internet connection. They just block traffic
> according to some rules in order to give access to some network services,
> and it is on the traffic related to these services that attention should be
> put on.
>
> So in this regards, I think it is pretty doubtful to claim that with IDS,
> you have nothing and you just have a bigger workload. I think you
> unvoluntarily demonstrated one of the biggest issues with IDS, a lack of
> understanding of how the technology is to be applied, and how it is all
> inter-related and maintained.
>
> If I were to prove my point of view with a metaphor, I'd say that your
> claim is like saying :"I've just purchased a new car, but I don't have a
> driver's license and never read the car's manual, but it's no big deal, I
> can drive it all right. I've noticed I have a button to switch headlights
> on, but I don't need it to drive at night and I think it's just a waste of
> battery power, I can see all right at night from the lightposts and the
> lights from the other cars."
>
> I'm not downplaying the role of firewalls here, but thinking they are
> sufficient by themselves still in 2004 is just asking for a reality check.
>
> My 2 cents.
>
> Adam Richard
>
>
> ______________________________________________________________________
> ------------------------------------------------------------------------
---
> Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
> Protect your network with the comprehensive security solution that integrates
> six applications for ease of use and lower TCO.
>
> Firewall - Virus protection - Spam protection - URL blocking - VPN
> - Wireless security.
>
> Download 30-day evaluation at:
> http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
> ------------------------------------------------------------------------
---
--
-----------------------------------
Network Research Engineer, 919.248.1469
Advanced Network Research Group,MCNC-RDI xwu (at) anr.mcnc (dot) org [email concealed]

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

[ reply ]