I would hardly consider D-Link or Netgear to be good references for security
best practices. I would also seriously reconsider your last sentence which was
"I think no Firewall is secure alone without an IDS."
Factually speaking, if the code used to write a a firewall product
in a secure manner, then the firewall will be secure. If you introduce an
insecure software package such as a third party IDS solution to the
running your secure firewall, then you've compromised the security of your
firewall with that insecure package.
The security of a firewall is totally independent of IDS and visa versa.
Having said that, I do suggest that IDS is a good idea for anyone if installed
properly and configured correctly. I strongly suggest against installing IDS +
Firewall on the same system if you are serious about network security.
----- Message from oliver dot kainz at myez dot info ---------
Date: Mon, 20 Jun 2005 22:39:29 +0200
From: Oliver Kainz <oliver dot kainz at myez dot info>
Reply-To: oliver dot kainz at myez dot info
Subject: AW: [m0n0wall] Re: m0n0wall + Snort
To: m0n0wall at lists dot m0n0 dot ch
>>> Adriel T. Desautels wrote:
>>> In my expereince its not a very good idea to install an IDS on a
>>> firewall device. Fact of the matter is an IDS device should have as
>>> much processing power as you an give it to help reduce false positives
>>> and false negatives (assuming heavy load and a good NIC). Increased
>>> usage of the CPU from other services, such as firewalls, reduce the
>>> amount of cycles that the IDS will have
>>> and as such reduce its performance. Anyone else feel the same way?
>> What you think makes sense. However, for a small business with an idle
> firewall like
>> mine, it might be a good idea. Having a traffic sniffer that is not on
> the firewall
>> increases the costs a lot. You need a separate machine, a tap or a
> switch with a mirror
> IDS on a firewall is not NEW, take a look an D-Link "DFL-200 and DFL-700"
> Or the Netgear "FVS ProSafe-VPN-Firewall" Datasheet.
> The have included an (N)IDS.
> I think no Firewall is secure alone without an IDS.
----- End message from oliver dot kainz at myez dot info -----
Adriel T. Desautels
Secure Network Operations, Inc.
Secure Network Operations - http://www.secnetops.com