Re: [FW1] intrusion detection - benifits?

[David C. Diemer]

Taking a broader view, security is comprised of a number of components, as you well know, from administering the operating system, the users, et. al.  I see network access security as an insurance policy, a policy that protects the hardware, software, and information assets of the company behind the firewall.  Is it worth the cost?  Management must determine how much the assests protected are worth.   In terms of network access security and in my view, there are four main components:       1.  Written Policies     2.  Firewall (implements the written policies)     3.  Intrusion Detection (monitors the open ports)     4.  Content monitoring or vectoring (anti-virus, HTTP, etc.)   Every rule that opens a port is actually opening a hole, one that can be used for hacking. Nmap can be used to get through the firewall on a known open port and port scan a box behind the firewall.  And that's where IDS comes in.  IDS helps me be reasonably certain that the "holes" opened in the firewall for traffic are secured by IDS.   In support of this, one of our subnets was scanned recently using port 80 (HTTP).  The firewall would have let it go through but the IDS caught what was happening and instructed the firewall to issue a block on the incoming address.   David C. Diemer, CCSA, CNE Enterprise Security Firewall Engineer Georgia Department of Administrative Services (DOAS) [EMAIL PROTECTED] 404.651.9677 >>> <[EMAIL PROTECTED]> 11/28/00 10:49AM >>> We have one here, and it's quite informative.  Whether or not it's worth the $$$ that it cost is debatable, but you do get a clear indication of who is trying what, and provides a bit of ammo for beating web/DNS server admins of the head with respect to patch levels when you can demonstrate that people are actually looking for exploits.  We hope to be getting some Nokia Realsecure to play with boxes early next year, which are probably as low-hassle as you'd get. It did take a while to get an appropriate level of reporting in place.  As with all tools that log information, too much and is ceases to be useful, too little and you're no better off than before. On a different note, and one that as a contractor is quite important to me is it's another skill to have, and as such is valuable as long as there is a "perceived" benefit to IDS packages. Perhaps not quite what you had in mind, but my $0.02 [EMAIL PROTECTED]@lists.us.checkpoint.com on 28/11/2000 13:45:05 Sent by:  [EMAIL PROTECTED] To:   [EMAIL PROTECTED] cc: Subject:  [FW1] intrusion detection - benifits? Greetings: I have this question that I would like the community to give me their .02 worth. In an arena running Checkpoint (whatever flavor) is it really worth the time, expense, and possible network performance compromises to put a separate intrusion detection appliance online in front of the firewall? I understand that there are tons of "well, you could.." but what I am really after is "your" opinion. Would you, as the FW admin/engineer, do it. Obivously I am looking for some backup here as I am having a intrusion detection package rammed down my throat, and frankly, I don't want it. But my only defense at this point is that "is something more to manage". Thanks to all in advance!!! Tom ================================================================================      To unsubscribe from this mailing list, please see the instructions at                http://www.checkpoint.com/services/mailing.html ================================================================================ ================================================================================      To unsubscribe from this mailing list, please see the instructions at                http://www.checkpoint.com/services/mailing.html ================================================================================