Hrm,
Now that is a sexy idea!
----- Message from rrich at gstisecurity dot com ---------
Date: Tue, 21 Jun 2005 09:41:54 -0400
From: Bob Rich <rrich at gstisecurity dot com>
Reply-To: Bob Rich <rrich at gstisecurity dot com>
Subject: Re: [m0n0wall] Re: m0n0wall + Snort
To: sai <sonicsai at gmail dot com>
> What about m0n0snort?
>
> For me the thing that makes m0n0wall so great is the excellent
> encapsulation of the underlying OS into a very clean and easy to use
> interface. (*clap* *clap* *clap*)
>
> I don't know for sure, but i would imagine that snort runs on FreeBSD
> 4 just fine...isn't there a potential for using the m0n0 platform for
> hosting snort? The firewall and vpn capabilities could be trimmed to
> host protection only to avoid the dual use concerns illustrated
> below. GUI pages for pointing to mysql or syslog boxen for output
> (to maintain 'embedability'), stealth port configuration, rule
> editing, etc should be much simpler than what is already in place for
> m0n0wall.
>
> Note i'm not suggesting _who_ does this, but i think the idea has some merit.
>
>
>
> ----- Original Message -----
> From: sai <sonicsai at gmail dot com>
> To: Ugo Bellavance <ugob at camo dash route dot com>
> Cc: m0n0wall at lists dot m0n0 dot ch
> Sent: Tue, 21 Jun 2005 05:27:25 -0400
> Subject: [m0n0wall] Re: m0n0wall + Snort
>
>
>> Vendors will try to sell whatever is easier to sell and that generates
>> more profits. There are Firewalls with ant-spam and anti-virus
>> software . Anti-spam !!
>> The pitch is that all your security is handled by one machine. It is
>> easier to handle. Lower cost. etc. etc.
>>
>> The main driver for this trend is that CPU power is available
>> cheaply, so it is possible to do this.
>> My thinking is that IDS and anti-spam, anti-virus are not something
>> that you should have on a firewall as these can take up huge amounts
>> of CPU plus storage. If something goes wrong then you have no
>> firewall, no nothing.
>> The more software you have on a machine the more there is to go wrong.
>>
>> M0n0 philosophy is to have pure firewall and this is good. Personally
>> I think that haveing a few more functions (than currently implemneted
>> on m0n0) will not do much harm.
>>
>> On 6/21/05, Ugo Bellavance <ugob at camo dash route dot com> wrote:
>> > Adriel T. Desautels wrote:
>> > > Ugo,
>> > > Very, very true indeed. I think that if m0n0wall developers are going
>> > to
>> > > consider implementing snort into their product then they will need to
>> > > carefully
>> > > consider many different points. The most important of which (in my
>> > > opinion) is
>> > > the additional responsibility to their users and additional support
>> > > created by
>> > > the introduction of snort or another IDS solution.
>> >
>> > Yup. And it is a lot of work to implement and configure and make it as
>> > easy as it is with m0n0 for firewalling issues.
>> >
>> > >
>> > > I still can't say that I'd be interested in using a solution that
>> > > provided
>> > > "IDS" capabilities in conjunction with firewalling capabilities just
>> > > because of
>> > > the increased load which leads to increased false positives and
>> > negatives.
>> > >
>> > > Most false positives and false negatives that are not signature based
>> > > occur
>> > > at the NIC level. On your average NIC when the network load is at
>> > > roughly 50%
>> > > your false negative rate is very close to 100%. Introducing other
>> > > processes to
>> > > the system will cause an increase on the false negatives and reduce the
>> > > effectiveness of the IDS solution even more. So now instead of 50% load
>> > > = near
>> > > 100% false negatives you might be at 30% load = near 100%. I don't know
>> > > about
>> > > you but that is not a reasonable sacrifice to me.
>> > >
>> >
>> > Interresting point. But 30% load is still ~300 Mbits/s on a Gigabit
>> > NIC. That is still a lot of bandwidth for a WAN connection :).
>> >
>> > > This stands true unless you are using a special card of-course. But
>> > > most of
>> > > those "special cards" are R/O taps and what not. Anyway, just my
>> 2 cents.
>> > I
>> > > still think that a firewall should be a firewall and that IDS should be
>> > > IDS.
>> > > Maybe I am thinking too corporate here and being too anal?
>> > >
>> >
>> > No, it is okay. It is just a difference in values. Most m0n0wall users
>> > (I think) use them on embedded devices like wraps and soekris. That
>> > gives a throughput of a firewall that costs ~1000$, or even less. On
>> > the other end, it is also used with 14 NIC and probably drive gigabit/s
>> > connections. So it can fit a lot of needs. Therefore, it will be used
>> > by people who differ a lot in resources ($ and technical). Many people
>> > have asked for an IDS on m0n0 so I think there is a need somewhere for
>> > people who lack the resources to implement a separate IDS.
>> >
>> >
>> > But trying not to top-post could be an improvement.
>> >
>> > >
>> > >
>> > >
>> > >
>> > > ----- Message from ugob at camo dash route dot com ---------
>> > > Date: Mon, 20 Jun 2005 18:32:55 -0400
>> > > From: Ugo Bellavance <ugob at camo dash route dot com>
>> > > Reply-To: Ugo Bellavance <ugob at camo dash route dot com>
>> > > Subject: [m0n0wall] Re: AW: Re: m0n0wall + Snort
>> > > To: m0n0wall at lists dot m0n0 dot ch
>> > >
>> > >
>> > >> Adriel T. Desautels wrote:
>> > >>
>> > >>> Oliver,
>> > >>> I would hardly consider D-Link or Netgear to be good references for
>> > >>> security
>> > >>> best practices.
>> > >>
>> > >>
>> > >> You may be right. But try to find a firewall appliance that is in
>> > >> competition with m0n0, you'll have a hard time finding one that doesn't
>> > >> offer some sort of NIDS. Netscreen, SonicWall, Fortinet, Symantec.
>> > >>
>> > >>> I would also seriously reconsider your last sentence
>> > >>> which was
>> > >>> "I think no Firewall is secure alone without an IDS."
>> > >>
>> > >>
>> > >> I must say I second. A more accurate sentence would be that no network
>> > >> is secure with only a firewall. Security is a layered process, and the
>> > >> more effective your layers and the more layers you've got, more secure
>> > >> your network should be. However, more effective layers push the costs
>> > >> up.
>> > >>
>> > >>>
>> > >>> Factually speaking, if the code used to write a a firewall
>> product is
>> > >>> written
>> > >>> in a secure manner, then the firewall will be secure. If you
>> > >>> introduce an
>> > >>> insecure software package such as a third party IDS solution to the
>> > same
>> > >>> system
>> > >>> running your secure firewall, then you've compromised the security of
>> > >>> your
>> > >>> firewall with that insecure package.
>> > >>>
>> > >>> The security of a firewall is totally independent of IDS and visa
>> > >>> versa.
>> > >>> Having said that, I do suggest that IDS is a good idea for anyone if
>> > >>> installed
>> > >>> properly and configured correctly. I strongly suggest against
>> > installing
>> > >>> IDS +
>> > >>> Firewall on the same system if you are serious about network security.
>> > >>>
>> > >>
>> > >> That is the point. Being serious is having needs and
>> resources. Try to
>> > >> balance security with budget, with usability, this is the neverending
>> > >> dilemma of the securiy information specialist. The decision is yours.
>> > >>
>> > >>>
>> > >>>
>> > >>> ----- Message from oliver dot kainz at myez dot info ---------
>> > >>> Date: Mon, 20 Jun 2005 22:39:29 +0200
>> > >>> From: Oliver Kainz <oliver dot kainz at myez dot info>
>> > >>> Reply-To: oliver dot kainz at myez dot info
>> > >>> Subject: AW: [m0n0wall] Re: m0n0wall + Snort
>> > >>> To: m0n0wall at lists dot m0n0 dot ch
>> > >>>
>> > >>>
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>>>> Adriel T. Desautels wrote:
>> > >>>>>> Actually,
>> > >>>>>> In my expereince its not a very good idea to install an IDS on a
>> > >>>>>> firewall device. Fact of the matter is an IDS device should have as
>> > >>>>>> much processing power as you an give it to help reduce false
>> > >>>>>> positives
>> > >>>>>> and false negatives (assuming heavy load and a good NIC). Increased
>> > >>>>>> usage of the CPU from other services, such as firewalls, reduce the
>> > >>>>>> amount of cycles that the IDS will have
>> > >>>>>> and as such reduce its performance. Anyone else feel the same way?
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>>> What you think makes sense. However, for a small business with an
>> > >>>>> idle
>> > >>>>
>> > >>>>
>> > >>>> firewall like
>> > >>>>
>> > >>>>> mine, it might be a good idea. Having a traffic sniffer that is
>> > >>>>> not on
>> > >>>>
>> > >>>>
>> > >>>> the firewall
>> > >>>>
>> > >>>>> increases the costs a lot. You need a separate machine, a tap or a
>> > >>>>
>> > >>>>
>> > >>>> switch with a mirror
>> > >>>>
>> > >>>>> port.
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>> IDS on a firewall is not NEW, take a look an D-Link "DFL-200 and
>> > >>>> DFL-700"
>> > >>>> Or the Netgear "FVS ProSafe-VPN-Firewall" Datasheet.
>> > >>>> The have included an (N)IDS.
>> > >>>> I think no Firewall is secure alone without an IDS.
>> > >>>>
>> > >>>> BR
>> > >>>> Oliver
>> > >>>>
>> > >>>
>> > >>>
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>> >
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
----- End message from rrich at gstisecurity dot com -----
Regards,
Adriel T. Desautels
Secure Network Operations, Inc.
http://www.secnetops.com
----------------------------------------------------------------
Secure Network Operations - http://www.secnetops.com | 