[ previous ] [ next ] [ threads ]
 
 From:  Ugo Bellavance <ugob at camo dash route dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: AW: Re: m0n0wall + Snort
 Date:  Mon, 20 Jun 2005 18:32:55 -0400
Adriel T. Desautels wrote:
> Oliver,
>   I would hardly consider D-Link or Netgear to be good references for
> security
> best practices. 

You may be right.  But try to find a firewall appliance that is in
competition with m0n0, you'll have a hard time finding one that doesn't
offer some sort of NIDS.  Netscreen, SonicWall, Fortinet, Symantec.

> I would also seriously reconsider your last sentence
> which was
> "I think no Firewall is secure alone without an IDS."

I must say I second.  A more accurate sentence would be that no network
is secure with only a firewall.  Security is a layered process, and the
more effective your layers and the more layers you've got, more secure
your network should be.  However, more effective layers push the costs up.

> 
>   Factually speaking, if the code used to write a a firewall product is
> written
> in a secure manner, then the firewall will be secure. If you introduce an
> insecure software package such as a third party IDS solution to the same
> system
> running your secure firewall, then you've compromised the security of your
> firewall with that insecure package.
> 
>    The security of a firewall is totally independent of IDS and visa versa.
> Having said that, I do suggest that IDS is a good idea for anyone if
> installed
> properly and configured correctly. I strongly suggest against installing
> IDS +
> Firewall on the same system if you are serious about network security.
> 

That is the point.  Being serious is having needs and resources.  Try to
balance security with budget, with usability, this is the neverending
dilemma of the securiy information specialist.  The decision is yours.

> 
> 
> ----- Message from oliver dot kainz at myez dot info ---------
>    Date: Mon, 20 Jun 2005 22:39:29 +0200
>    From: Oliver Kainz <oliver dot kainz at myez dot info>
> Reply-To: oliver dot kainz at myez dot info
> Subject: AW: [m0n0wall]  Re: m0n0wall + Snort
>      To: m0n0wall at lists dot m0n0 dot ch
> 
> 
>>
>>
>>
>>
>>>> Adriel T. Desautels wrote:
>>>> Actually,
>>>>    In my expereince its not a very good idea to install an IDS on a
>>>> firewall device. Fact of the matter is an IDS device should have as
>>>> much processing power as you an give it to help reduce false positives
>>>> and false negatives (assuming heavy load and a good NIC). Increased
>>>> usage of the CPU from other services, such as firewalls, reduce the
>>>> amount of cycles that the IDS will have
>>>> and as such reduce its performance. Anyone else feel the same way?
>>
>>
>>> What you think makes sense.  However, for a small business with an idle
>>
>> firewall like
>>
>>> mine, it might be a good idea.  Having a traffic sniffer that is not on
>>
>> the firewall
>>
>>> increases the costs a lot.  You need a separate machine, a tap or a
>>
>> switch with a mirror
>>
>>> port.
>>
>>
>> IDS on a firewall is not NEW, take a look an D-Link "DFL-200 and DFL-700"
>> Or the Netgear "FVS ProSafe-VPN-Firewall" Datasheet.
>> The have included an (N)IDS.
>> I think no Firewall is secure alone without an IDS.
>>
>> BR
>> Oliver
>>
> 
> 
> ----- End message from oliver dot kainz at myez dot info -----
> 
> 
> 
> Regards,
>     Adriel T. Desautels
>     Secure Network Operations, Inc.
>     http://www.secnetops.com
> 
> ----------------------------------------------------------------
> Secure Network Operations - http://www.secnetops.com
> 
> 
> 
> ------------------------------------------------------------------------
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch