[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Intrusion Detection
One good thing about IDS systems is that they do not need to be certified to work with a certain firewall, unless you are trying to put the IDS on the firewall and at that point I would have to say DON'T DO IT!!!!!! NEVER EVER put IDS on the firewall. It is a firewall. It's job is to protect the front door. A good IDS system can be, and should be, used for protecting the internal resources. If a WEB server gets hacked, it ewould be great if the IDS could put on the original page and get rid of the hacked version. Most of the IDS systems have a basic understanding of this and can do some smaller tasks like this. Some do even more like watch certain directories for changes and replace changes with original files. Thus the change never happens. Fewer still have the functionality to talk to the firewalls and write rules according to certain hack attempts. This one , as you might imagine, is the dangerous kind. But, given the right IDS sytem implimented in the correct way can be very lethal for the would-be hacker. I have found a direct correlation with, "you get what you pay for." in this arena. My advice is research the commercial products out there. Find the "neat features" that you like. See if the freeware versions have the options you want and make a choice that way. The IDS system does not have to be certified for a specific firewall if you are not asking the IDS to write to the firewall, (that was the dangerous option). Just my opinion, and we all know what opinions are worth. Good luck! -----Original Message----- From: Lance Spitzner [mailto:[email protected]] Sent: Friday, January 12, 2001 6:12 PM To: Jon Vandiveer Cc: [email protected] Subject: re: [FW1] Intrusion Detection On Fri, 12 Jan 2001, Jon Vandiveer wrote: > Currently there is only ONE certified IDS product for Checkpoint, > RealSecure. Checkout www.opsec.com > > However I have heard that NFR (www.nfr.com) will work with Checkpoint > > Just remember that Intrusion Detection is different from Intrusion Response. > i.e. Sn0rt does detection, but cannot Block connections; while RealSecure > can issue commands to FW's and routers. When dealing with Unix, one never says the word can't. It is possible to have snort reconfiure FW-1 rules. http://www.enteract.com/~lspitz/intrusion.html However, I would be EXTREMELY careful how you can use this feature. lance ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|