[ previous ] [ next ] [ threads ]
 From:  "Adriel T. Desautels" <atd at secnetops dot com>
 To:  oliver dot kainz at myez dot info
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: AW: [m0n0wall] Re: m0n0wall + Snort
 Date:  Mon, 20 Jun 2005 17:23:04 -0400
   I would hardly consider D-Link or Netgear to be good references for security
best practices. I would also seriously reconsider your last sentence which was
"I think no Firewall is secure alone without an IDS."

   Factually speaking, if the code used to write a a firewall product 
is written
in a secure manner, then the firewall will be secure. If you introduce an
insecure software package such as a third party IDS solution to the 
same system
running your secure firewall, then you've compromised the security of your
firewall with that insecure package.

    The security of a firewall is totally independent of IDS and visa versa.
Having said that, I do suggest that IDS is a good idea for anyone if installed
properly and configured correctly. I strongly suggest against installing IDS +
Firewall on the same system if you are serious about network security.

----- Message from oliver dot kainz at myez dot info ---------
    Date: Mon, 20 Jun 2005 22:39:29 +0200
    From: Oliver Kainz <oliver dot kainz at myez dot info>
Reply-To: oliver dot kainz at myez dot info
Subject: AW: [m0n0wall]  Re: m0n0wall + Snort
      To: m0n0wall at lists dot m0n0 dot ch

>>> Adriel T. Desautels wrote:
>>> Actually,
>>>    In my expereince its not a very good idea to install an IDS on a
>>> firewall device. Fact of the matter is an IDS device should have as
>>> much processing power as you an give it to help reduce false positives
>>> and false negatives (assuming heavy load and a good NIC). Increased
>>> usage of the CPU from other services, such as firewalls, reduce the
>>> amount of cycles that the IDS will have
>>> and as such reduce its performance. Anyone else feel the same way?
>> What you think makes sense.  However, for a small business with an idle
> firewall like
>> mine, it might be a good idea.  Having a traffic sniffer that is not on
> the firewall
>> increases the costs a lot.  You need a separate machine, a tap or a
> switch with a mirror
>> port.
> IDS on a firewall is not NEW, take a look an D-Link "DFL-200 and DFL-700"
> Or the Netgear "FVS ProSafe-VPN-Firewall" Datasheet.
> The have included an (N)IDS.
> I think no Firewall is secure alone without an IDS.
> BR
> Oliver

----- End message from oliver dot kainz at myez dot info -----

     Adriel T. Desautels
     Secure Network Operations, Inc.

Secure Network Operations - http://www.secnetops.com