Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Firewalls (was Re: IDS evaluations procedures)

from [Swift, David] Network Security [Permanent Link]
Subject: RE: Firewalls (was Re: IDS evaluations procedures)
Date: Sun, 24 Jul 2005 13:27:31 -0700 
Fair enough. I agree, no single product is going to block everything. 

Still a Unified Threat Management (UTM), device like iPolicy Intrusion
Prevention Firewalls, (sorry, required minimal company plug), can go a
long way toward a good defense. Some form of Firewall, and IDS/IPS are
essential on the un-policed Wild Wild Web.

Like you mentioned, I always install Tripwire, or Auditing services on
internal hosts just in case something snuck through. 

Other products like SolidCore attempt to lock the entire OS/Executing
code set, and could be useful as well for critical systems with static
configurations.

And of course there are application specific/data scrubbing systems like
NetContinuum that I would deploy to filter outbound content from web
servers.

After 15 years in networking, I've become OS & System agnostic, I just
try to deploy a combination based on the value of data, the customer
budget, and the potential threats to it. 

Can't always get a Rolls Royce when the budget is for a Kia.

-----Original Message-----
From: Richard Bejtlich [mailto:taosecurity@gmail.com] 
Sent: Friday, July 22, 2005 6:23 PM
To: Swift, David
Cc: Mike Barkett; Nick Black; focus-ids@securityfocus.com
Subject: Re: Firewalls (was Re: IDS evaluations procedures)

On 7/22/05, Swift, David <dswift@ipolicynetworks.com> wrote:

Right up front, I'll admit I work for a vendor, but...

1. There are a growing number Intrusion Detection/Intrusion Prevention
Systems that have integrated firewall.
2. IPS is a significant step in the right direction, and does things a
firewall can't. If you have doubts, try using Firewalker to pinpoint
holes in your firewall, and map network devices PAST the firewall
perimeter. If I can find them, I can attack them. Then craft a few
attacks with Nessus and send a fragmented attack right on through the
firewall at a given target.

iPolicy started a company with the premise that security integration

was

where things were headed. We built a good firewall, that after 5 years
of revisions now has an easy to use interface, AND we incorporate a

good

IDS/IPS engine.


Hi David,

All good points.  If you can get past firewalls using various
techniques, I'm sure others can bypass even your product, right?

This is not an attack against you or any other prevention vendor.  The
unfortunate reality is that at some point a smart, unpredictable
intruder will figure out how to bypass your prevention mechanism. 
Where does that leave an integrated/converged security device?  Will
it have any record at all that it was beaten?  Probably not -- if it
knew what was happening, it would have blocked the attack, correct?

The problem I see with most security vendors is their assumption that
they can even identify attacks properly.  This is a problem because
detection or prevention requires accurate attack identification.  I
gave up on perfect attack detection years ago, but I did not give up
on intrusion detection or prevention as necessary parts of the
security process.  I am glad you and other vendors still work on this
very tough problem!

For my part, I try to identify when my preventative system has failed
via policy enforcement failure detection.  If that doesn't work, I'm
also performing network transaction logging.  Once I know (by
non-technical means, perhaps) that I'm compromised, I have
network-based evidence to guide my incident response and remediation
process.

I don't see do-it-all-in-one security appliances approaching the
problem this way.

I guess my view is biased because I do incident response for a living,
and I constantly deal with failed security mechanisms.  (Unfortunately
for my clients,) I am as busy now (with all the great new gear we
have) as I was seven years ago when I started.

Sincerely,

Richard
http://www.taosecurity.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IDS alerts / second - Correlation - Virtualization, Swift, David
Next by Date:  RE: IDS alerts / second - Correlation - Virtualization, Frank Knobbe
Previous by Thread:  RE: Firewalls (was Re: IDS evaluations procedures), Omar Herrera
Next by Thread:  Re: Firewalls (was Re: IDS evaluations procedures), Fergus Brooks
Indexes:  [Date] [Thread] [Top] [All Lists]