[ previous ] [ next ] [ threads ]
 
 From:  "Adriel T. Desautels" <atd at secnetops dot com>
 To:  Ugo Bellavance <ugob at camo dash route dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: AW: Re: m0n0wall + Snort
 Date:  Mon, 20 Jun 2005 19:02:38 -0400
Ugo,
   Very, very true indeed. I think that if m0n0wall developers are going to
consider implementing snort into their product then they will need to 
carefully
consider many different points. The most important of which (in my opinion) is
the additional responsibility to their users and additional support created by
the introduction of snort or another IDS solution.

   I still can't say that I'd be interested in using a solution that provided
"IDS" capabilities in conjunction with firewalling capabilities just 
because of
the increased load which leads to increased false positives and negatives.

   Most false positives and false negatives that are not signature based occur
at the NIC level. On your average NIC when the network load is at roughly 50%
your false negative rate is very close to 100%. Introducing other processes to
the system will cause an increase on the false negatives and reduce the
effectiveness of the IDS solution even more. So now instead of 50% load = near
100% false negatives you might be at 30% load = near 100%. I don't know about
you but that is not a reasonable sacrifice to me.

   This stands true unless you are using a special card of-course. But most of
those "special cards" are R/O taps and what not. Anyway, just my 2 cents. I
still think that a firewall should be a firewall and that IDS should be IDS.
Maybe I am thinking too corporate here and being too anal?





----- Message from ugob at camo dash route dot com ---------
    Date: Mon, 20 Jun 2005 18:32:55 -0400
    From: Ugo Bellavance <ugob at camo dash route dot com>
Reply-To: Ugo Bellavance <ugob at camo dash route dot com>
Subject: [m0n0wall]  Re: AW: Re: m0n0wall + Snort
      To: m0n0wall at lists dot m0n0 dot ch


> Adriel T. Desautels wrote:
>> Oliver,
>>   I would hardly consider D-Link or Netgear to be good references for
>> security
>> best practices.
>
> You may be right.  But try to find a firewall appliance that is in
> competition with m0n0, you'll have a hard time finding one that doesn't
> offer some sort of NIDS.  Netscreen, SonicWall, Fortinet, Symantec.
>
>> I would also seriously reconsider your last sentence
>> which was
>> "I think no Firewall is secure alone without an IDS."
>
> I must say I second.  A more accurate sentence would be that no network
> is secure with only a firewall.  Security is a layered process, and the
> more effective your layers and the more layers you've got, more secure
> your network should be.  However, more effective layers push the costs up.
>
>>
>>   Factually speaking, if the code used to write a a firewall product is
>> written
>> in a secure manner, then the firewall will be secure. If you introduce an
>> insecure software package such as a third party IDS solution to the same
>> system
>> running your secure firewall, then you've compromised the security of your
>> firewall with that insecure package.
>>
>>    The security of a firewall is totally independent of IDS and visa versa.
>> Having said that, I do suggest that IDS is a good idea for anyone if
>> installed
>> properly and configured correctly. I strongly suggest against installing
>> IDS +
>> Firewall on the same system if you are serious about network security.
>>
>
> That is the point.  Being serious is having needs and resources.  Try to
> balance security with budget, with usability, this is the neverending
> dilemma of the securiy information specialist.  The decision is yours.
>
>>
>>
>> ----- Message from oliver dot kainz at myez dot info ---------
>>    Date: Mon, 20 Jun 2005 22:39:29 +0200
>>    From: Oliver Kainz <oliver dot kainz at myez dot info>
>> Reply-To: oliver dot kainz at myez dot info
>> Subject: AW: [m0n0wall]  Re: m0n0wall + Snort
>>      To: m0n0wall at lists dot m0n0 dot ch
>>
>>
>>>
>>>
>>>
>>>
>>>>> Adriel T. Desautels wrote:
>>>>> Actually,
>>>>>    In my expereince its not a very good idea to install an IDS on a
>>>>> firewall device. Fact of the matter is an IDS device should have as
>>>>> much processing power as you an give it to help reduce false positives
>>>>> and false negatives (assuming heavy load and a good NIC). Increased
>>>>> usage of the CPU from other services, such as firewalls, reduce the
>>>>> amount of cycles that the IDS will have
>>>>> and as such reduce its performance. Anyone else feel the same way?
>>>
>>>
>>>> What you think makes sense.  However, for a small business with an idle
>>>
>>> firewall like
>>>
>>>> mine, it might be a good idea.  Having a traffic sniffer that is not on
>>>
>>> the firewall
>>>
>>>> increases the costs a lot.  You need a separate machine, a tap or a
>>>
>>> switch with a mirror
>>>
>>>> port.
>>>
>>>
>>> IDS on a firewall is not NEW, take a look an D-Link "DFL-200 and DFL-700"
>>> Or the Netgear "FVS ProSafe-VPN-Firewall" Datasheet.
>>> The have included an (N)IDS.
>>> I think no Firewall is secure alone without an IDS.
>>>
>>> BR
>>> Oliver
>>>
>>
>>
>> ----- End message from oliver dot kainz at myez dot info -----
>>
>>
>>
>> Regards,
>>     Adriel T. Desautels>>     Secure Network Operations, Inc.
>>     http://www.secnetops.com
>>
>> ----------------------------------------------------------------
>> Secure Network Operations - http://www.secnetops.com
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>


----- End message from ugob at camo dash route dot com -----



Regards,
     Adriel T. Desautels
     Secure Network Operations, Inc.
     http://www.secnetops.com

----------------------------------------------------------------
Secure Network Operations - http://www.secnetops.com