On Wed, 18 Jan 2006, sai wrote:
> on firewall if you really want all-in-one boxes. Why would you want an
> IDS on the same machine as a firewall? Its not going to work. It will
> not have enough signatures to give you the sort of security you need.
>
[What the heck, no interesting debate in a while...]
I think there's a bigger question "why would you want an IDS?" AFAICT,
IDS's are only good for (a) stopping stuff your firewall rules should
already stop or (b) stopping known-bad stuff you have to let in that
almost always have patches or work-arounds and (c) if you're regulated
into them (i.e. HIPPA.)
Since I tend to preach good firewall rulesets and strengthening the
obvious vectors with good patching/strong configuration, I really fail to
see situations where "If only we'd had an IDS/IPS" is the matra rather
than "if only we'd patched/filtered" wasn't an altogether better mantra.
Maybe someone hitting the IDS pipe can come up with some good examples of
when just doing the right thing wouldn't have stopped whatever it is that
is known enough for signatures but not enough for configuring or
patching...
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul_at_compuwar.net which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Jan 18 2006
Intro
