[ previous ] [ next ] [ threads ]
 
 From:  Bob Rich <rrich at gstisecurity dot com>
 To:  sai <sonicsai at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: m0n0wall + Snort
 Date:  Tue, 21 Jun 2005 09:41:54 -0400
What about m0n0snort?

For me the thing that makes m0n0wall so great is the excellent encapsulation of the underlying OS
into a very clean and easy to use interface. (*clap* *clap* *clap*)

I don't know for sure, but i would imagine that snort runs on FreeBSD 4 just fine...isn't there a
potential for using the m0n0 platform for hosting snort?  The firewall and vpn capabilities could be
trimmed to host protection only to avoid the dual use concerns illustrated below.  GUI pages for
pointing to mysql or syslog boxen for output (to maintain 'embedability'), stealth port
configuration, rule editing, etc should be much simpler than what is already in place for m0n0wall.

Note i'm not suggesting _who_ does this, but i think the idea has some merit.



----- Original Message -----
From: sai <sonicsai at gmail dot com>
To: Ugo Bellavance <ugob at camo dash route dot com>
Cc: m0n0wall at lists dot m0n0 dot ch
Sent: Tue, 21 Jun 2005 05:27:25 -0400
Subject: [m0n0wall] Re: m0n0wall + Snort


> Vendors will try to sell whatever is easier to sell and that generates
> more profits. There are Firewalls with ant-spam and anti-virus
> software . Anti-spam !!
> The pitch is that all your security is handled by one machine. It is
> easier to handle. Lower cost. etc. etc.
> 
> The main driver  for this trend is that CPU power is available
> cheaply, so it is possible to do this.
> My thinking is that IDS and anti-spam, anti-virus are not something
> that you should have on a firewall as these can take up huge amounts
> of CPU plus storage. If something goes wrong then you have no
> firewall, no nothing.
> The more software you have on a machine the more there is to go wrong.
> 
> M0n0 philosophy is to have pure firewall and this is good. Personally
> I think that haveing a few more functions (than currently implemneted
> on m0n0) will not do much harm.
> 
> On 6/21/05, Ugo Bellavance <ugob at camo dash route dot com> wrote:
> > Adriel T. Desautels wrote:
> > > Ugo,
> > >   Very, very true indeed. I think that if m0n0wall developers are going
> > to
> > > consider implementing snort into their product then they will need to
> > > carefully
> > > consider many different points. The most important of which (in my
> > > opinion) is
> > > the additional responsibility to their users and additional support
> > > created by
> > > the introduction of snort or another IDS solution.
> > 
> > Yup.  And it is a lot of work to implement and configure and make it as
> > easy as it is with m0n0 for firewalling issues.
> > 
> > > 
> > >   I still can't say that I'd be interested in using a solution that
> > > provided
> > > "IDS" capabilities in conjunction with firewalling capabilities just
> > > because of
> > > the increased load which leads to increased false positives and
> > negatives.
> > > 
> > >   Most false positives and false negatives that are not signature based
> > > occur
> > > at the NIC level. On your average NIC when the network load is at
> > > roughly 50%
> > > your false negative rate is very close to 100%. Introducing other
> > > processes to
> > > the system will cause an increase on the false negatives and reduce the
> > > effectiveness of the IDS solution even more. So now instead of 50% load
> > > = near
> > > 100% false negatives you might be at 30% load = near 100%. I don't know
> > > about
> > > you but that is not a reasonable sacrifice to me.
> > > 
> > 
> > Interresting point.  But 30% load is still ~300 Mbits/s on a Gigabit
> > NIC.  That is still a lot of bandwidth for a WAN connection :).
> > 
> > >   This stands true unless you are using a special card of-course. But
> > > most of
> > > those "special cards" are R/O taps and what not. Anyway, just my 2 cents.
> > I
> > > still think that a firewall should be a firewall and that IDS should be
> > > IDS.
> > > Maybe I am thinking too corporate here and being too anal?
> > > 
> > 
> > No, it is okay.  It is just a difference in values.  Most m0n0wall users
> > (I think) use them on embedded devices like wraps and soekris. That
> > gives a throughput of a firewall that costs ~1000$, or even less.  On
> > the other end, it is also used with 14 NIC and probably drive gigabit/s
> > connections.  So it can fit a lot of needs.  Therefore, it will be used
> >  by people who differ a lot in resources ($ and technical).  Many people
> > have asked for an IDS on m0n0 so I think there is a need somewhere for
> > people who lack the resources to implement a separate IDS.
> > 
> > 
> >   But trying not to top-post could be an improvement.
> > 
> > > 
> > > 
> > > 
> > > 
> > > ----- Message from ugob at camo dash route dot com ---------
> > >    Date: Mon, 20 Jun 2005 18:32:55 -0400
> > >    From: Ugo Bellavance <ugob at camo dash route dot com>
> > > Reply-To: Ugo Bellavance <ugob at camo dash route dot com>
> > > Subject: [m0n0wall]  Re: AW: Re: m0n0wall + Snort
> > >      To: m0n0wall at lists dot m0n0 dot ch
> > > 
> > > 
> > >> Adriel T. Desautels wrote:
> > >>
> > >>> Oliver,
> > >>>   I would hardly consider D-Link or Netgear to be good references for
> > >>> security
> > >>> best practices.
> > >>
> > >>
> > >> You may be right.  But try to find a firewall appliance that is in
> > >> competition with m0n0, you'll have a hard time finding one that doesn't
> > >> offer some sort of NIDS.  Netscreen, SonicWall, Fortinet, Symantec.
> > >>
> > >>> I would also seriously reconsider your last sentence
> > >>> which was
> > >>> "I think no Firewall is secure alone without an IDS."
> > >>
> > >>
> > >> I must say I second.  A more accurate sentence would be that no network
> > >> is secure with only a firewall.  Security is a layered process, and the
> > >> more effective your layers and the more layers you've got, more secure
> > >> your network should be.  However, more effective layers push the costs
> > >> up.
> > >>
> > >>>
> > >>>   Factually speaking, if the code used to write a a firewall product is
> > >>> written
> > >>> in a secure manner, then the firewall will be secure. If you
> > >>> introduce an
> > >>> insecure software package such as a third party IDS solution to the
> > same
> > >>> system
> > >>> running your secure firewall, then you've compromised the security of
> > >>> your
> > >>> firewall with that insecure package.
> > >>>
> > >>>    The security of a firewall is totally independent of IDS and visa
> > >>> versa.
> > >>> Having said that, I do suggest that IDS is a good idea for anyone if
> > >>> installed
> > >>> properly and configured correctly. I strongly suggest against
> > installing
> > >>> IDS +
> > >>> Firewall on the same system if you are serious about network security.
> > >>>
> > >>
> > >> That is the point.  Being serious is having needs and resources.  Try to
> > >> balance security with budget, with usability, this is the neverending
> > >> dilemma of the securiy information specialist.  The decision is yours.
> > >>
> > >>>
> > >>>
> > >>> ----- Message from oliver dot kainz at myez dot info ---------
> > >>>    Date: Mon, 20 Jun 2005 22:39:29 +0200
> > >>>    From: Oliver Kainz <oliver dot kainz at myez dot info>
> > >>> Reply-To: oliver dot kainz at myez dot info
> > >>> Subject: AW: [m0n0wall]  Re: m0n0wall + Snort
> > >>>      To: m0n0wall at lists dot m0n0 dot ch
> > >>>
> > >>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>>> Adriel T. Desautels wrote:
> > >>>>>> Actually,
> > >>>>>>    In my expereince its not a very good idea to install an IDS on a
> > >>>>>> firewall device. Fact of the matter is an IDS device should have as
> > >>>>>> much processing power as you an give it to help reduce false
> > >>>>>> positives
> > >>>>>> and false negatives (assuming heavy load and a good NIC). Increased
> > >>>>>> usage of the CPU from other services, such as firewalls, reduce the
> > >>>>>> amount of cycles that the IDS will have
> > >>>>>> and as such reduce its performance. Anyone else feel the same way?
> > >>>>
> > >>>>
> > >>>>
> > >>>>> What you think makes sense.  However, for a small business with an
> > >>>>> idle
> > >>>>
> > >>>>
> > >>>> firewall like
> > >>>>
> > >>>>> mine, it might be a good idea.  Having a traffic sniffer that is
> > >>>>> not on
> > >>>>
> > >>>>
> > >>>> the firewall
> > >>>>
> > >>>>> increases the costs a lot.  You need a separate machine, a tap or a
> > >>>>
> > >>>>
> > >>>> switch with a mirror
> > >>>>
> > >>>>> port.
> > >>>>
> > >>>>
> > >>>>
> > >>>> IDS on a firewall is not NEW, take a look an D-Link "DFL-200 and
> > >>>> DFL-700"
> > >>>> Or the Netgear "FVS ProSafe-VPN-Firewall" Datasheet.
> > >>>> The have included an (N)IDS.
> > >>>> I think no Firewall is secure alone without an IDS.
> > >>>>
> > >>>> BR
> > >>>> Oliver
> > >>>>
> > >>>
> > >>>
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > 
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>