On Tue, 24 Apr 2001, Angelos Karageorgiou wrote:
> Intrusion Detection
>
> But we are still passing all the internet traffic for them through the
> firewall for a very simple reason: Intrusion Detection. No matter how
> powerfull a router is , it still cannot beat SNORT in detecting
> network abuses. There is a slew of tools to do analysis of snort
> alerts and of course my favorite one is snortlog.
why is this here? are you really placing a NIDS on your firewall?
honestly, i think thats poor design. as someone who has installed IDS
sensors for several organization and studied them, designed a few and
works with them on a daily basis, i can safely say i have given this
question a lot of thought.
it boils down to perspective. the NIDS needs to have a nearly birds eye
view of what traffic is on the wire, but not from a gateway standpoint but
instead from a host perspective. sensor placement is one thing we wont
discuss here, as is the differences in reaction to traffic between
different host platforms.
however, a NIDS is not a firewall component, but instead a security
component. i don't think they should overlap in their placement or in
their duties (ie reactive NIDS systems), and as such they really don't
have a place in a discussion about firewalls.
this isn't to say you can't evaluate firewall logs as a part of your
intrusion detection analysis. you'd be a fool not to. but, placing the
sensor on your firewall is bad for the reasons i stated above.
____________________________
jose nazario [EMAIL PROTECTED]
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
