Ben... Not necessarily true, place an IDS sensor outside in your Dirty Network (before fw/router) and place an IDS sensor inside.. In most cases, an IDS should pick up the attack if the IDS application is designed correctly, and everything else. A penetration test is one time picturesque view of an organization. What happens if the site comes away with very little results. Or do you believe in hiring an online security scanning service (i.e. Global Integrity ) and pay them on a quarterly basis to scan your network.. So which is better?? /m At 09:21 AM 10/25/00 +0930, Ben Nagy wrote: >I think you have a logical flaw there. > >Many IDS alerts = firewall rules not tight enough (possibly) >But: >Few IDS alerts != firewall rules OK. > >You're assuming that the attack patterns during the observation period are >a) constant and b) uniformly distributed across the gamut of possible >attacks. > >All in all I think that using the IDS as a passive indicator of the >correctness of the firewall configuration is fraught with peril. Frankly, >there's no guarantee that the IDS is even going to pick up the attack. > >I agree that having "impossible" traffic patterns raise alerts is a good way >of finding out (after the fact) the the firewall was configured incorrectly. >However I would still advocate a direct audit/'penetration test' of the >firewall at the completion of the installation. I don't think an IDS can >help here with passive/internal techniques. Maybe you could look at >something active/external? > >Cheers, - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
