[ previous ] [ next ] [ threads ]
 From:  "Adriel T. Desautels" <atd at secnetops dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IDSFirewall "koolaid" ;] "Re: [m0n0wall] Re: m0n0wall + Snort"
 Date:  Tue, 21 Jun 2005 11:17:34 -0400
   Well put man! There's something else I'd like to add to this thread as well.

   Factually speaking anyone can spoof network traffic because the underlying
protocols have no real facility to ensure the validity of data. Understanding
that, how can anyone trust a network based IDS/IPS system if its opinion is
based on potentially invalid "facts"? Simple, you can't. How many of 
you manage
IDS systems and are smothered by false positives?

   Firewalls on the other hand are designed to control traffic and to limit
inbound and outbound access. Firewalls are devices that I'd like to think of
more as traffic shaping devices than security devices. Firewall work, they do
what they are supposed to do if the code is written properly. Firewalls are a
proved solution.

   Fact, when you combine any firewall with any IDS solution on the same
hardware you reduce performance and reliability. The reduction in performance
means that your IDS engine will not be able to collect and match as much data
as it would if it was on a stand alone system.

   Also a fact, when you introduce a software product to a computer system you
ARE introducing new vulnerabilities. In theory, every software package 
a vulnerability unless it is mathematically proved to be sure. Why introduce
more vulnerabilities to what is possibly the most important system on a

   Now, having said all of that, IDS'es and IPS'es still have their place. They
are in fact useful for detecting intrusions and network problems but they are
not as great as the hype makes them out to be.

----- Message from cbuechler at gmail dot com ---------
    Date: Tue, 21 Jun 2005 10:28:39 -0400
    From: Chris Buechler <cbuechler at gmail dot com>
Reply-To: Chris Buechler <cbuechler at gmail dot com>
Subject: Re: [m0n0wall] Re: m0n0wall + Snort

> On 6/21/05, Bob Rich <rrich at gstisecurity dot com> wrote:
>> I don't know for sure, but i would imagine that snort runs on 
>> FreeBSD 4 just fine...isn't there a potential for using the m0n0 
>> platform for hosting snort?  The firewall and vpn capabilities could 
>> be trimmed to host protection only to avoid the dual use concerns 
>> illustrated below.  GUI pages for pointing to mysql or syslog boxen 
>> for output (to maintain 'embedability'), stealth port configuration, 
>> rule editing, etc should be much simpler than what is already in 
>> place for m0n0wall.
> FreeBSD is the platform of choice for many of the most accomplished
> and recognized people in the IDS/NSM (Network Security Monitoring)
> world, so sure, it'd work.
> What wouldn't work really well on the type of setup m0n0wall runs is
> keeping the necessary session data and other log info to make the IDS
> worthwhile.  It's not feasible to dump all that over to syslog and/or
> mysql, and m0n0wall's file system isn't conducive to that type of
> system.
> What the people who are fooled by the marketing folks of firewall
> devices with built in IDS don't realize is they're practically useless
> in that context.  First, what some call "IDS" has only a couple dozen
> signatures detecting attacks like the "ping of death" that haven't
> been used (effectively) since the 90's.  If you're still vulnerable to
> decade-old attacks, you have way more issues than needing an IDS.
> Secondly, even if they do include a full blown IDS ruleset, I've yet
> to see any that provide anything much more than a one line "Alert -
> XYZ exploit detected".
> So, how do you know it really was an exploit attempt on that, and not
> a signature mismatch?  Can't see the actual packets, so you don't
> know.  How did your server respond, or did it respond at all?  Sorry,
> can't figure that out either.  For all you know, the exploit worked,
> and the server is rootkitted.  So you can't trust the machine, and the
> only way to then tell with certainty what happened is to go into
> incident response mode, pull the server offline, and examine with
> known-good tools.
> My point is, if you think these firewall-embedded IDS systems are
> actually doing much of anything for you, you're seriously mistaken and
> have drank way too much of the marketing Kool Aid.  If anybody knows
> of a firewall that does provide full session data, I'd love to hear
> about it.
> I'd strongly recommend http://www.bookpool.com/sm/0321246772 if you
> have further interest in this area.
> -Chris
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

----- End message from cbuechler at gmail dot com -----

     Adriel T. Desautels
     Secure Network Operations, Inc.

Secure Network Operations - http://www.secnetops.com