-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Ben Nagy [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, October 24, 2000 7:39 PM > > [...] > I think the role of the IDS is to then sit around and look > for suspicious > traffic - DMZ hosts scanning the internal firewall, for > example. Or traffic > that the firewall is not smart enough to know is bad - like > cgi attacks > against webservers etc. > > If you want to look at developing an active audit function, where > an internal and external IDS try to talk to each other in lots of > tricky ways then that could be of value. I think an IDS can play a valid role in verifying a firewall policy. Consider this example: On my firewall, I configured ICMP rules in a way where I can send pings out, but only replies are allowed back in. The firewall effectively filters incoming ping request, source quenches and everything else that is not a reply (I want to be able to do traceroutes and pings through the firewall, hence the rules). An nMap test showed that the firewall is secure... at least so I thought. Imagine my surprise when my snort sensor behind the firewall picked up a fake ICMP reply (snort identified that as some trojan backdoor communication attempt). nMap and other scanners don't show this type of ... uhm... oversight. However, you can use the IDS to work together with your firewall to enhance its security. I have a snort sensor inside (and for testing also outside) the firewall. I wrote a few scripts that monitor snort alerts, and in case of a detection will reconfigure the firewall on the fly to block anything from the offending IP address. Should I again get an unsolicited ICMP reply packet, the IDS will pick it up and log it, my scripts will pick that up and reconfigure the firewall, and the firewall will block all communication from and to that IP address (currently configured for 1 hour). So the IDS does not only provide a sanity check for the level of security on the firewall, but it actively takes a part in the firewall security. Isn't that the way it's supposed to work ;) The same way you can protect your network against CGI attacks as you mentioned.... Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.1 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBOfZDiERKym0LjhFcEQJqHACgtcIzCyV7zeZNdybLJZTCi4NO3y0AoJ9B gReqdiu5mCpONgu0VJFbRzbK =Dk5B -----END PGP SIGNATURE----- - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
