Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: Odd scans and stuff bouncing off firewalls
From: "Edwards, David (JTS)" <Edwards.Dave () saugov sa gov au>
Date: Wed, 14 Aug 2002 09:40:18 +0930
Hi,


-----Original Message-----
From: Craig Billado [mailto:billadoc () us ibm com]
Sent: Wednesday, 14 August 2002 3:20 AM
Cc: incidents () securityfocus com
Subject: Re: Odd scans and stuff bouncing off firewalls

Nexus,

I agree that there is a lot of overhead maintaining external 
IDS sensors.
In the event that the "filtering device" fails, however, 
subsequent attacks
into and through the DMZ may be difficult to detect without them.


[snip sweet comment :-]


If you feel that
the border firewall is impervious to attack or compromise -- 
moreover, that 
the internal sensors are equipped to detect the consequences 
thereof --
then I suppose an external sensor can be dismissed. 
Otherwise, I'd keep one
out there on the wild-side.


This has all the hallmarks of a religious debate eh..

I've thought long and hard about this and FWIW, the 
conclusion I came up with was this.

IDS is designed to "detect" intrusions which seems to 
imply that it goes behind the devices designed to "block" them, 
else you are installing "Attempted Intrusion Detection Systems".  
Hmmm, I don't think I want to add that to my CV ;-)

A perimeter normally consists of multiple security devices
including an external filter (router) and internal, much
smarter firewall.  So where would you put the external
sensor if you want to see all attack attempts aimed at
you?  

Between the firewall and the filter?  But then it would 
miss most of the port scans if the filter is doing its job.

Outside the filter?  But then you are basically just gathering
stats and dshield already does a brilliant job here.


Each to their own of course.  I can see a need to install 
an external sensor if your business is network security as 
you need to test the efficiency of the IDS sensor, but you are 
just making a rod for you own back if you install them outside 
an ordinary corporate network.  

In any case, logs from the filter and firewall will normally
give you most of the data you want.

ciao



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]