>I do think a lot more research is needed... but IDS's are improving, and I
>for one am glad to have one for nothing other than to give me an idea of
>what is being aimed at me. I don't rely on them as gospel though. I still
>rely more on the firewall telling me that someone is knocking, then use the
>IDS to tell me the flavor of attack. When used in this fashion, the false
>positives have less of an impact.
Firewalls and IDS complement each other. I find the rule based, 20-100 k
rules, IDSes are too sensitive and their initial deployment should be
behind the firewall. That way they help identify the holes. Once they are
"de-tuned," they can play in the DMZ.
A second type of IDS is needed in the DMZ that should characterize the
traffic that "leaks" from the firewall. It must never be aimed at making
the private network a prison but rather a tool looking for traffic
patterns that reveal risky behavior.
As for those who "bounce" off the firewall or ACL, if we could setup a
"realtime black hole" service and automate swatting the kiddie scripters,
I might be pursaded. Avoiding spoofed address, false alarms would be a
challange and any such system would require authentication of the source.
This is entirely feasable.
Regardless, we find the quantity of complaints is less important than the
quality. A well managed IDS provides the insight needed to make the
defense systems more robust.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
