One of the most common things that my team and I run into is people who
think that they are secure because they deny all inbound connections. One of
the things that we constantly run into is people who are surprised when we are
able to penetrate those networks and perform distributed metastasis.
Where is the border of your network? Is it all of your Internet facing
systems? Or is it any system that can make an outbound connection to the
Take this into consideration. Lets assume that your network will not allow
ANY inbound connections, regardless of how crafty the attacker is. Lets say
that a crafty hacker manages to crack a website that you browse to
crafty person installs a malicious chunk of code on that website. You
it, it compromises your browser and your system. Your system then
out to a predefined system. Your network is owned.
Do you think you'll want IDS monitoring your outbound traffic?
----- Message from googl3meister at gmail dot com ---------
Date: Thu, 23 Jun 2005 08:23:04 +1000
From: â€¢ â€¢ <googl3meister at gmail dot com>
Reply-To: â€¢ â€¢ <googl3meister at gmail dot com>
Subject: Re: [m0n0wall] IDSFirewall "koolaid" ;] "Re: [m0n0wall] Re:
To: Chris Buechler <cbuechler at gmail dot com>
> On 6/22/05, Chris Buechler <cbuechler at gmail dot com> wrote:
>> On 6/22/05, â€¢ â€¢ <googl3meister at gmail dot com> wrote:
>> > > Then since you don't allow anything inbound, you're just doing it for
>> > > the sake of seeing what's out there because you're curious. That's
>> > > much different than relying on it for detecting intrusions. You're
>> > > just using it as a Internet Crud Detector. (how about a new acronym,
>> > > ICD!) :) You aren't going to detect any intrusions because you
>> > > aren't allowing any of that traffic in. A simple ICD is fine for the
>> > > sake of the curious, but if you actually want to detect intrusions,
>> > > it's of little value.
>> > >
>> > I'm sorry but that's just not true - I still use it to get out... I'm
>> > sorry, but you don't appear to have much commercial experience with
>> > snort.
>> I have plenty of commercial IDS experience, including Snort. You're
>> missing my point. If you're dropping all inbound traffic, as you
>> said, you *aren't* detecting intrusions! There can't be any!! (at
>> least in the traditional inbound from the Internet sense) You're
>> detecting crud on the Internet that can't possibly hurt you.
> I'm not missing any points, but just to recap:
> - I don't recall saying I ever had an IDS running as a full blown
> IDS, so accusing me of not having one is kinda pointless. I am well
> aware of what I've built. I simply responded to the list with comments
> from my recent experience.
> - Yes, a new ICD rule was added to snort yesterday and your emails
> keep triggering it :)
> - Accusing me of not detecting anything is plain ludicrous - true I
> won't be detecting any intrusions unless bugs in m0n0/snort or a
> trojan makes it's way in via other means (SSL, VPN, laptop), but
> otherwise I still see an enormous number of intrusion attempts on the
> outside, not to mention all the other cruft.
> - What I said is that I installed snort on the m0n0 image and am
> using it for RESEARCH.
> The last sentence is the key. If you have an issue with any of
> that... feel free to direct to /dev/null. IDS is always a contentious
> issue, but please don't clutter the list with statements like, "You're
> not detecting anything" because that is just a plain outright lie and
> you should know better if you have the experience you say you have.
> --no hard feelings
----- End message from googl3meister at gmail dot com -----
Adriel T. Desautels
Secure Network Operations, Inc.
Secure Network Operations - http://www.secnetops.com