[ previous ] [ next ] [ threads ]
 From:  Ugo Bellavance <ugob at camo dash route dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: AW: Re: m0n0wall + Snort
 Date:  Mon, 20 Jun 2005 20:30:44 -0400
Adriel T. Desautels wrote:
> Ugo,
>   Very, very true indeed. I think that if m0n0wall developers are going to
> consider implementing snort into their product then they will need to
> carefully
> consider many different points. The most important of which (in my
> opinion) is
> the additional responsibility to their users and additional support
> created by
> the introduction of snort or another IDS solution.

Yup.  And it is a lot of work to implement and configure and make it as
easy as it is with m0n0 for firewalling issues.

>   I still can't say that I'd be interested in using a solution that
> provided
> "IDS" capabilities in conjunction with firewalling capabilities just
> because of
> the increased load which leads to increased false positives and negatives.
>   Most false positives and false negatives that are not signature based
> occur
> at the NIC level. On your average NIC when the network load is at
> roughly 50%
> your false negative rate is very close to 100%. Introducing other
> processes to
> the system will cause an increase on the false negatives and reduce the
> effectiveness of the IDS solution even more. So now instead of 50% load
> = near
> 100% false negatives you might be at 30% load = near 100%. I don't know
> about
> you but that is not a reasonable sacrifice to me.

Interresting point.  But 30% load is still ~300 Mbits/s on a Gigabit
NIC.  That is still a lot of bandwidth for a WAN connection :).

>   This stands true unless you are using a special card of-course. But
> most of
> those "special cards" are R/O taps and what not. Anyway, just my 2 cents. I
> still think that a firewall should be a firewall and that IDS should be
> IDS.
> Maybe I am thinking too corporate here and being too anal?

No, it is okay.  It is just a difference in values.  Most m0n0wall users
(I think) use them on embedded devices like wraps and soekris. That
gives a throughput of a firewall that costs ~1000$, or even less.  On
the other end, it is also used with 14 NIC and probably drive gigabit/s
connections.  So it can fit a lot of needs.  Therefore, it will be used
 by people who differ a lot in resources ($ and technical).  Many people
have asked for an IDS on m0n0 so I think there is a need somewhere for
people who lack the resources to implement a separate IDS.

  But trying not to top-post could be an improvement.

> ----- Message from ugob at camo dash route dot com ---------
>    Date: Mon, 20 Jun 2005 18:32:55 -0400
>    From: Ugo Bellavance <ugob at camo dash route dot com>
> Reply-To: Ugo Bellavance <ugob at camo dash route dot com>
> Subject: [m0n0wall]  Re: AW: Re: m0n0wall + Snort
>      To: m0n0wall at lists dot m0n0 dot ch
>> Adriel T. Desautels wrote:
>>> Oliver,
>>>   I would hardly consider D-Link or Netgear to be good references for
>>> security
>>> best practices.
>> You may be right.  But try to find a firewall appliance that is in
>> competition with m0n0, you'll have a hard time finding one that doesn't
>> offer some sort of NIDS.  Netscreen, SonicWall, Fortinet, Symantec.
>>> I would also seriously reconsider your last sentence
>>> which was
>>> "I think no Firewall is secure alone without an IDS."
>> I must say I second.  A more accurate sentence would be that no network
>> is secure with only a firewall.  Security is a layered process, and the
>> more effective your layers and the more layers you've got, more secure
>> your network should be.  However, more effective layers push the costs
>> up.
>>>   Factually speaking, if the code used to write a a firewall product is
>>> written
>>> in a secure manner, then the firewall will be secure. If you
>>> introduce an
>>> insecure software package such as a third party IDS solution to the same
>>> system
>>> running your secure firewall, then you've compromised the security of
>>> your
>>> firewall with that insecure package.
>>>    The security of a firewall is totally independent of IDS and visa
>>> versa.
>>> Having said that, I do suggest that IDS is a good idea for anyone if
>>> installed
>>> properly and configured correctly. I strongly suggest against installing
>>> IDS +
>>> Firewall on the same system if you are serious about network security.
>> That is the point.  Being serious is having needs and resources.  Try to
>> balance security with budget, with usability, this is the neverending
>> dilemma of the securiy information specialist.  The decision is yours.
>>> ----- Message from oliver dot kainz at myez dot info ---------
>>>    Date: Mon, 20 Jun 2005 22:39:29 +0200
>>>    From: Oliver Kainz <oliver dot kainz at myez dot info>
>>> Reply-To: oliver dot kainz at myez dot info
>>> Subject: AW: [m0n0wall]  Re: m0n0wall + Snort
>>>      To: m0n0wall at lists dot m0n0 dot ch
>>>>>> Adriel T. Desautels wrote:
>>>>>> Actually,
>>>>>>    In my expereince its not a very good idea to install an IDS on a
>>>>>> firewall device. Fact of the matter is an IDS device should have as
>>>>>> much processing power as you an give it to help reduce false
>>>>>> positives
>>>>>> and false negatives (assuming heavy load and a good NIC). Increased
>>>>>> usage of the CPU from other services, such as firewalls, reduce the
>>>>>> amount of cycles that the IDS will have
>>>>>> and as such reduce its performance. Anyone else feel the same way?
>>>>> What you think makes sense.  However, for a small business with an
>>>>> idle
>>>> firewall like
>>>>> mine, it might be a good idea.  Having a traffic sniffer that is
>>>>> not on
>>>> the firewall
>>>>> increases the costs a lot.  You need a separate machine, a tap or a
>>>> switch with a mirror
>>>>> port.
>>>> IDS on a firewall is not NEW, take a look an D-Link "DFL-200 and
>>>> DFL-700"
>>>> Or the Netgear "FVS ProSafe-VPN-Firewall" Datasheet.
>>>> The have included an (N)IDS.
>>>> I think no Firewall is secure alone without an IDS.
>>>> BR
>>>> Oliver