NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Intrusion Detection



I don't think that way, an IDS should complement the firewall job, if
possible 
interact with it.
We shouldn't be  waitting for the hack to happen ... we should be
proactive. If my IDS 
detect an attack he should be able to reconfigure my firewall to stop
that attack.
What you said about replacing the damaged page is good but we should
prevent that from happening.
I think that RealSecure, NFR, or any other good IDS working with FW-1 is
a great ideia.
But don't forget Lance's remarks about reconfiguring FW-1 rules. And we
must be very, very carefull with
the false positives, if you are not carefull you can create an DOS
waitting to happen.

Vitor Ventura

Tim Cullen wrote:
> 
> One good thing about IDS systems is that they do not need to be certified to
> work with a certain firewall, unless you are trying to put the IDS on the
> firewall and at that point I would have to say DON'T DO IT!!!!!!
> 
> NEVER EVER put IDS on the firewall.  It is a firewall.  It's job is to
> protect the front door.  A good IDS system can be, and should be, used for
> protecting the internal resources.  If a WEB server gets hacked, it ewould
> be great if the IDS could put on the original page and get rid of the hacked
> version.  Most of the IDS systems have a basic understanding of this and can
> do some smaller tasks like this.
> 
> Some do even more like watch certain directories for changes and replace
> changes with original files.  Thus the change never happens.  Fewer still
> have the functionality to talk to the firewalls and write rules according to
> certain hack attempts.  This one , as you might imagine, is the dangerous
> kind.
> 
> But, given the right IDS sytem implimented in the correct way can be very
> lethal for the would-be hacker.  I have found a direct correlation with,
> "you get what you pay for." in this arena.
> 
> My advice is research the commercial products out there.  Find the "neat
> features" that you like.  See if the freeware versions have the options you
> want and make a choice that way.  The IDS system does not have to be
> certified for a specific firewall if you are not asking the IDS to write to
> the firewall, (that was the dangerous option).
> 
> Just my opinion, and we all know what opinions are worth.
> 
> Good luck!
> 
> -----Original Message-----
> From: Lance Spitzner [mailto:[email protected]]
> Sent: Friday, January 12, 2001 6:12 PM
> To: Jon Vandiveer
> Cc: [email protected]
> Subject: re: [FW1] Intrusion Detection
> 
> On Fri, 12 Jan 2001, Jon Vandiveer wrote:
> 
> > Currently there is only ONE certified IDS product for Checkpoint,
> > RealSecure. Checkout www.opsec.com >
> 
> > However I have heard that NFR (www.nfr.com) will work with Checkpoint
> >
> > Just remember that Intrusion Detection is different from Intrusion
> Response.
> > i.e. Sn0rt does detection, but cannot Block connections; while RealSecure
> > can issue commands to FW's and routers.
> 
> When dealing with Unix, one never says the word can't.  It is possible
> to have snort reconfiure FW-1 rules.
> 
> http://www.enteract.com/~lspitz/intrusion.html
> 
> However, I would be EXTREMELY careful how you can use this feature.
> 
> lance
> 
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

-- 
Vitor Ventura
Systems Engineer
[email protected]

SIA Portugal            
Tel: 218497020
<http://www.sia.pt>


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.