RE: Off-Topic: perfect firewall (was Re: IDS is dead, etc)

Your statement:

"An environment with a perfect firewall only gets "0-day" (or any other sort) of attacks that are so completely new that no IDS would know to look for them. Only protocols that we _thought_ we understood well, with implementations that we _thought_ weren't going to bite us on the goolies, are allowed in."

Only pertains to rule-based IDS. We still use SHADOW for our main IDS and write rules for SNORT based on unusual traffic we see with SHADOW. Doesn't mean that's all we use....since there is no 'silver bullet' IDS (or firewall), we use a suite of IDS tools. If we see something unusual we have ways to look at the data traffic, before we write a rule, to ensure what is going on. With a "0-day" attack it is usually to late to write a rule for either SNORT or a firewall, which is why we have analysts 24/7 reviewing SHADOW logs and following up with logs from other IDS'. Not using analysts to review logs to is (in my personal opinion only) to risky. I can not afford to assume that a firewall or IDS is going to protect my network without a human touch. And as far as I can tell, even with Intrusion Prevention software, there is still a long, long way to go. Steve Carey

-----Original Message-----
From: Bennett Todd [mailto:bet@rahul.net] Sent: Friday, August 08, 2003 11:59 AM
To: Sam f. Stover
Cc: Barry Fitzgerald; Tom Arseneault; 'Mark Tinberg'; 'Paul Schmehl'; focus-ids@securityfocus.com
Subject: Off-Topic: perfect firewall (was Re: IDS is dead, etc)

2003-08-08T12:22:21 Sam f. Stover:
> How does this address 0-day attacks on services that weren't

It doesn't. Nothing does.

> Granted a strings searching IDS might not help you there, but a

An environment with a perfect firewall only gets "0-day" (or any other sort) of attacks that are so completely new that no IDS would know to look for them. Only protocols that we _thought_ we understood well, with implementations that we _thought_ weren't going to bite us on the goolies, are allowed in.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> I guess my real question is how to keep your firewall perfect?

The firewall itself is the easiest part --- it's simple, because it passes few protocols, and they're very very mature ones for which mature, well-maintained, well-designed proxies are available; and it's really only there for defense in depth, because all the network-traffic-touching apps behind the firewall are also well-designed, secure ones with rare and few holes; and you've got aggressive cfg mgmt to make it cheap to rapidly deploy security fixes on the rare occasions when problems are reported with these apps.

> The instant you drop it in place, you'll have to stay ahead of

Absolutely. It's impossible to do this in an uncontrolled environment. It's possible to do it in a sufficiently tightly-controlled environment with mostly good-quality software allowed to touch network traffic, and the rare bits of unavoidable evil locked tightly in sandboxes.

Such an env requires customers willing to tradeoff lack of choices in platform and apps, and limits to categories of apps they'll be permitted to use. In exchange, they get vastly improved availabilty and reduced operating costs.

> Also, isn't every IDS implementation an educational tool to some

Sure is.

And if I ever am permitted to set up the fantasy perfect firewall, I'll have enough time (and the company will have saved enough money:-) to let me set up that honeypot+ids to keep me on top of things.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

So yes, when you get right down to it, I was talking about a platonic theoretical ideal, and I can't seem to construct a believable description of an environment where I wouldn't run an IDS. -Bennett

• Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
• Automatically Control P2P, IM and Spam Traffic
• Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm

  ---