[ previous ] [ next ] [ threads ]
 
 From:  "Adriel T. Desautels" <atd at secnetops dot com>
 To:  Bob Rich <rrich at gstisecurity dot com>
 Cc:  sai <sonicsai at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: m0n0wall + Snort
 Date:  Tue, 21 Jun 2005 10:18:08 -0400
Hrm,
    Now that is a sexy idea!


----- Message from rrich at gstisecurity dot com ---------
    Date: Tue, 21 Jun 2005 09:41:54 -0400
    From: Bob Rich <rrich at gstisecurity dot com>
Reply-To: Bob Rich <rrich at gstisecurity dot com>
Subject: Re: [m0n0wall] Re: m0n0wall + Snort
      To: sai <sonicsai at gmail dot com>


> What about m0n0snort?
>
> For me the thing that makes m0n0wall so great is the excellent 
> encapsulation of the underlying OS into a very clean and easy to use 
> interface. (*clap* *clap* *clap*)
>
> I don't know for sure, but i would imagine that snort runs on FreeBSD 
> 4 just fine...isn't there a potential for using the m0n0 platform for 
> hosting snort?  The firewall and vpn capabilities could be trimmed to 
> host protection only to avoid the dual use concerns illustrated 
> below.  GUI pages for pointing to mysql or syslog boxen for output 
> (to maintain 'embedability'), stealth port configuration, rule 
> editing, etc should be much simpler than what is already in place for 
> m0n0wall.
>
> Note i'm not suggesting _who_ does this, but i think the idea has some merit.
>
>
>
> ----- Original Message -----
> From: sai <sonicsai at gmail dot com>
> To: Ugo Bellavance <ugob at camo dash route dot com>
> Cc: m0n0wall at lists dot m0n0 dot ch
> Sent: Tue, 21 Jun 2005 05:27:25 -0400
> Subject: [m0n0wall] Re: m0n0wall + Snort
>
>
>> Vendors will try to sell whatever is easier to sell and that generates
>> more profits. There are Firewalls with ant-spam and anti-virus
>> software . Anti-spam !!
>> The pitch is that all your security is handled by one machine. It is
>> easier to handle. Lower cost. etc. etc.
>>
>> The main driver  for this trend is that CPU power is available
>> cheaply, so it is possible to do this.
>> My thinking is that IDS and anti-spam, anti-virus are not something
>> that you should have on a firewall as these can take up huge amounts
>> of CPU plus storage. If something goes wrong then you have no
>> firewall, no nothing.
>> The more software you have on a machine the more there is to go wrong.
>>
>> M0n0 philosophy is to have pure firewall and this is good. Personally
>> I think that haveing a few more functions (than currently implemneted
>> on m0n0) will not do much harm.
>>
>> On 6/21/05, Ugo Bellavance <ugob at camo dash route dot com> wrote:
>> > Adriel T. Desautels wrote:
>> > > Ugo,
>> > >   Very, very true indeed. I think that if m0n0wall developers are going
>> > to
>> > > consider implementing snort into their product then they will need to
>> > > carefully
>> > > consider many different points. The most important of which (in my
>> > > opinion) is
>> > > the additional responsibility to their users and additional support
>> > > created by
>> > > the introduction of snort or another IDS solution.
>> >
>> > Yup.  And it is a lot of work to implement and configure and make it as
>> > easy as it is with m0n0 for firewalling issues.
>> >
>> > >
>> > >   I still can't say that I'd be interested in using a solution that
>> > > provided
>> > > "IDS" capabilities in conjunction with firewalling capabilities just
>> > > because of
>> > > the increased load which leads to increased false positives and
>> > negatives.
>> > >
>> > >   Most false positives and false negatives that are not signature based
>> > > occur
>> > > at the NIC level. On your average NIC when the network load is at
>> > > roughly 50%
>> > > your false negative rate is very close to 100%. Introducing other
>> > > processes to
>> > > the system will cause an increase on the false negatives and reduce the
>> > > effectiveness of the IDS solution even more. So now instead of 50% load
>> > > = near
>> > > 100% false negatives you might be at 30% load = near 100%. I don't know
>> > > about
>> > > you but that is not a reasonable sacrifice to me.
>> > >
>> >
>> > Interresting point.  But 30% load is still ~300 Mbits/s on a Gigabit
>> > NIC.  That is still a lot of bandwidth for a WAN connection :).
>> >
>> > >   This stands true unless you are using a special card of-course. But
>> > > most of
>> > > those "special cards" are R/O taps and what not. Anyway, just my 
>> 2 cents.
>> > I
>> > > still think that a firewall should be a firewall and that IDS should be
>> > > IDS.
>> > > Maybe I am thinking too corporate here and being too anal?
>> > >
>> >
>> > No, it is okay.  It is just a difference in values.  Most m0n0wall users
>> > (I think) use them on embedded devices like wraps and soekris. That
>> > gives a throughput of a firewall that costs ~1000$, or even less.  On
>> > the other end, it is also used with 14 NIC and probably drive gigabit/s
>> > connections.  So it can fit a lot of needs.  Therefore, it will be used
>> >  by people who differ a lot in resources ($ and technical).  Many people
>> > have asked for an IDS on m0n0 so I think there is a need somewhere for
>> > people who lack the resources to implement a separate IDS.
>> >
>> >
>> >   But trying not to top-post could be an improvement.
>> >
>> > >
>> > >
>> > >
>> > >
>> > > ----- Message from ugob at camo dash route dot com ---------
>> > >    Date: Mon, 20 Jun 2005 18:32:55 -0400
>> > >    From: Ugo Bellavance <ugob at camo dash route dot com>
>> > > Reply-To: Ugo Bellavance <ugob at camo dash route dot com>
>> > > Subject: [m0n0wall]  Re: AW: Re: m0n0wall + Snort
>> > >      To: m0n0wall at lists dot m0n0 dot ch
>> > >
>> > >
>> > >> Adriel T. Desautels wrote:
>> > >>
>> > >>> Oliver,
>> > >>>   I would hardly consider D-Link or Netgear to be good references for
>> > >>> security
>> > >>> best practices.
>> > >>
>> > >>
>> > >> You may be right.  But try to find a firewall appliance that is in
>> > >> competition with m0n0, you'll have a hard time finding one that doesn't
>> > >> offer some sort of NIDS.  Netscreen, SonicWall, Fortinet, Symantec.
>> > >>
>> > >>> I would also seriously reconsider your last sentence
>> > >>> which was
>> > >>> "I think no Firewall is secure alone without an IDS."
>> > >>
>> > >>
>> > >> I must say I second.  A more accurate sentence would be that no network
>> > >> is secure with only a firewall.  Security is a layered process, and the
>> > >> more effective your layers and the more layers you've got, more secure
>> > >> your network should be.  However, more effective layers push the costs
>> > >> up.
>> > >>
>> > >>>
>> > >>>   Factually speaking, if the code used to write a a firewall 
>> product is
>> > >>> written
>> > >>> in a secure manner, then the firewall will be secure. If you
>> > >>> introduce an
>> > >>> insecure software package such as a third party IDS solution to the
>> > same
>> > >>> system
>> > >>> running your secure firewall, then you've compromised the security of
>> > >>> your
>> > >>> firewall with that insecure package.
>> > >>>
>> > >>>    The security of a firewall is totally independent of IDS and visa
>> > >>> versa.
>> > >>> Having said that, I do suggest that IDS is a good idea for anyone if
>> > >>> installed
>> > >>> properly and configured correctly. I strongly suggest against
>> > installing
>> > >>> IDS +
>> > >>> Firewall on the same system if you are serious about network security.
>> > >>>
>> > >>
>> > >> That is the point.  Being serious is having needs and 
>> resources.  Try to
>> > >> balance security with budget, with usability, this is the neverending
>> > >> dilemma of the securiy information specialist.  The decision is yours.
>> > >>
>> > >>>
>> > >>>
>> > >>> ----- Message from oliver dot kainz at myez dot info ---------
>> > >>>    Date: Mon, 20 Jun 2005 22:39:29 +0200
>> > >>>    From: Oliver Kainz <oliver dot kainz at myez dot info>
>> > >>> Reply-To: oliver dot kainz at myez dot info
>> > >>> Subject: AW: [m0n0wall]  Re: m0n0wall + Snort
>> > >>>      To: m0n0wall at lists dot m0n0 dot ch
>> > >>>
>> > >>>
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>>>> Adriel T. Desautels wrote:
>> > >>>>>> Actually,
>> > >>>>>>    In my expereince its not a very good idea to install an IDS on a
>> > >>>>>> firewall device. Fact of the matter is an IDS device should have as
>> > >>>>>> much processing power as you an give it to help reduce false
>> > >>>>>> positives
>> > >>>>>> and false negatives (assuming heavy load and a good NIC). Increased
>> > >>>>>> usage of the CPU from other services, such as firewalls, reduce the
>> > >>>>>> amount of cycles that the IDS will have
>> > >>>>>> and as such reduce its performance. Anyone else feel the same way?
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>>> What you think makes sense.  However, for a small business with an
>> > >>>>> idle
>> > >>>>
>> > >>>>
>> > >>>> firewall like
>> > >>>>
>> > >>>>> mine, it might be a good idea.  Having a traffic sniffer that is
>> > >>>>> not on
>> > >>>>
>> > >>>>
>> > >>>> the firewall
>> > >>>>
>> > >>>>> increases the costs a lot.  You need a separate machine, a tap or a
>> > >>>>
>> > >>>>
>> > >>>> switch with a mirror
>> > >>>>
>> > >>>>> port.
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>> IDS on a firewall is not NEW, take a look an D-Link "DFL-200 and
>> > >>>> DFL-700"
>> > >>>> Or the Netgear "FVS ProSafe-VPN-Firewall" Datasheet.
>> > >>>> The have included an (N)IDS.
>> > >>>> I think no Firewall is secure alone without an IDS.
>> > >>>>
>> > >>>> BR
>> > >>>> Oliver
>> > >>>>
>> > >>>
>> > >>>
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>> >
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>


----- End message from rrich at gstisecurity dot com -----



Regards,
     Adriel T. Desautels
     Secure Network Operations, Inc.
     http://www.secnetops.com

----------------------------------------------------------------
Secure Network Operations - http://www.secnetops.com