I cut out some of the other messages to concentrate on one issue, automated IDS responses. If your automated IDS responses result in a "automated" packet filter of any sort, I think you are doing yourself a disservice. You might stop some kiddies, but you are just leaving yourself wide open to professionals who can DoS you very easily.
I suppose if everyone just started filtering at the edge to help prevent spoofing, but alas, that is not the reality of today's networks. It should be trivial for the attacker to DoS your systems beyond compare. For example, what if he spoofs a trusted host? Now your trusted host cannot have access anymore. Ok, so what if you have exceptions for the trusted host? Now he has a host worth spoofing for, DoS trusted host, assume trusted host's identity. Easier said than done and you can mitigate the risk with stuff like mac address port locking, anti-spoofing acls, but just to give you some ideas that automated IDS responses can be particularly dangerous. Not even factoring the possibility you can lose accessibility to many systems, but most firewall products have some pitiful limitations (one can easily blow out any stateful firewall), and you can be assured your acls will grow to be so big your firewall just might keel over. I hope you got default-closed systems. ;) But I suppose it won't matter at that point, your network will be down, or your IDS might be filled with so much "garbage" that you might not see the real attack come through for your "forensics" team to discover which hosts have been compromised. > Come on now, the slammer worm? If you are security conscious this > shouldn't have had any effect on you. Microsoft released a patch last > summer. Security is a best effort solution. It is about layers and > maintenance. You cannot eliminate risk, you can only reduce risk. > > An IDSs responsibility is to pick up attacks on the wire, not prevent > them. I personally don't believe in allowing my IDS to respond to an > attack. > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Albert Lu > Sent: Friday, February 21, 2003 9:19 AM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > Hi Troy, > > Must be some secure site, reason I was interested is that I had a > discussion > with someone else before in regards to multi-vendor IDS solutions and > how > effective they might be. > > So if you mostly rely on manual action, and an attack came in after > hours, > how quickly can you respond to your alerts? Since for some attacks, a > half > hour response time could cause your site to be down (eg. slammer virus). > If > that was the case, even if you had all the vendor's IDS, it will be > useless. > > Albert > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, February 21, 2003 10:57 PM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > > As with most things, you need to way up costs againts your requirements. > IN > our case, security is absolutely essential, so having a multivendor > security > solutions (and indeed fully redundant) is costly, but we see it as > justified. > > With regards to action during attacks etc. We mostly rely on manual > actions > as we dont want to inadvertently block legitimate traffic (for example > if an > attack came from a spoofed IP). For automatic action, you can make use > of > Ciso Policy manage, which has the ability to dynamically rewrite ACL's, > on > Pix's, Routers, and indeed Cat's. according to data from IDS. So for > example, if you where really paraniod (like we are),. you could have > pix's > as the first firewall, with IDS on the inside / dmz etc (using IDSM or > standalone IDS), tie these together with Policy manager .. then taking a > further step into your network, a set of Nokia Fw1 NG, along with > further > Nokia IDS solutions on the inside, and tied together using the > enterprisef > software! > > > -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63557&t=63557 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
