[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Addendum: 0 tolerance no IDS = bad idea -- Re: [m0n0wall] IDSFirewall "koolaid" ;] "Re: [m0n0wall] Re: m0n0wall + Snort"
 Date:  Thu, 23 Jun 2005 19:17:04 -0400
this has been OT for quite a while, but oh well.  :)  I was going to
let the thread die, since the last guy and I agreed on everything but
symantics.  but this brings up a new twist.

this is good stuff.  In the users guide for 1.2 that I'm working on
offline, I'm going to add something along these lines, since there's
such a "we have a firewall so we're secure!" mentality.  In fact,
anybody want to volunteer to write this section?  The whole thing is
never going to get done by 1.2 release if I'm the only person working
on it.  :)  email me offlist if you'd like to volunteer (for this or
any other portion).


On 6/22/05, Adriel T. Desautels <atd at secnetops dot com> wrote:
> Greetings again,
>    One of the most common things that my team and I run into is people who
> think that they are secure because they deny all inbound connections. One of
> the things that we constantly run into is people who are surprised when we are
> able to penetrate those networks and perform distributed metastasis.
> 

yep, saw exactly the same in my previous life as a security
consultant.  This is why egress filtering is important, but that alone
doesn't solve even close to all of the problem since most places let
out the most common ports (80/443 at least) from everything.  Proxying
everything outbound, with strict controls on the proxy (dropping all
executables, ActiveX, etc. etc.) is probably the best solution for
this.

of course all the technology in the world won't counter what is almost
always the weakest link - the users.


> 
>    Do you think you'll want IDS monitoring your outbound traffic?
> 

I have IDS monitoring all my inbound and outbound traffic, almost all
LAN traffic, and all WAN traffic.  I never said IDS was a bad idea;
rather it's a requirement if you want a defensible network.  You just
have to do it right, or it's not worth much.

-Chris