Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Intrusion Detection

To: "'Lance Spitzner'" <[email protected]>, Jon Vandiveer <[email protected]>
Subject: RE: [FW1] Intrusion Detection
From: Tim Cullen <[email protected]>
Date: Mon, 15 Jan 2001 11:15:10 -0500
Cc: [email protected]
Sender: [email protected]

One good thing about IDS systems is that they do not need to be certified to
work with a certain firewall, unless you are trying to put the IDS on the
firewall and at that point I would have to say DON'T DO IT!!!!!!

NEVER EVER put IDS on the firewall.  It is a firewall.  It's job is to
protect the front door.  A good IDS system can be, and should be, used for
protecting the internal resources.  If a WEB server gets hacked, it ewould
be great if the IDS could put on the original page and get rid of the hacked
version.  Most of the IDS systems have a basic understanding of this and can
do some smaller tasks like this.  

Some do even more like watch certain directories for changes and replace
changes with original files.  Thus the change never happens.  Fewer still
have the functionality to talk to the firewalls and write rules according to
certain hack attempts.  This one , as you might imagine, is the dangerous
kind.

But, given the right IDS sytem implimented in the correct way can be very
lethal for the would-be hacker.  I have found a direct correlation with,
"you get what you pay for." in this arena.

My advice is research the commercial products out there.  Find the "neat
features" that you like.  See if the freeware versions have the options you
want and make a choice that way.  The IDS system does not have to be
certified for a specific firewall if you are not asking the IDS to write to
the firewall, (that was the dangerous option).

Just my opinion, and we all know what opinions are worth.

Good luck!

-----Original Message-----
From: Lance Spitzner [mailto:[email protected]]
Sent: Friday, January 12, 2001 6:12 PM
To: Jon Vandiveer
Cc: [email protected]
Subject: re: [FW1] Intrusion Detection

On Fri, 12 Jan 2001, Jon Vandiveer wrote:

> Currently there is only ONE certified IDS product for Checkpoint,
> RealSecure. Checkout www.opsec.com > 

> However I have heard that NFR (www.nfr.com) will work with Checkpoint
> 
> Just remember that Intrusion Detection is different from Intrusion
Response.
> i.e. Sn0rt does detection, but cannot Block connections; while RealSecure
> can issue commands to FW's and routers.

When dealing with Unix, one never says the word can't.  It is possible
to have snort reconfiure FW-1 rules.

http://www.enteract.com/~lspitz/intrusion.html

However, I would be EXTREMELY careful how you can use this feature.

lance

============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- Re: [FW1] Intrusion Detection
  - From: Vitor Manuel Saldanha Ventura <[email protected]>

Prev by Date: RE: [FW1] Is the Checkpoint knowledgebase any good?
Next by Date: RE: [FW1] NAT Problem in CP-Firewall
Previous by thread: RE: [FW1] Intrusion Detection
Next by thread: Re: [FW1] Intrusion Detection
Index(es):
- Date
- Thread