Firewall Wizards mailing list archives

RE: Intrusion Prevention Firewall

From: "Pieper, Rodney" <rodney.pieper () eds com>
Date: Thu, 4 Apr 2002 07:55:49 -0600

Except, imagine the following -- Wily hacker notices that whenever he does
'A' the firewall makes a change 'B'. After tiring of trying to get inside,
or maybe all he wants to do, he uses the previous information to effectively
DOS your network by continually doing 'A' in a modified fashion. 
Not just flakey access control policy but a new DOS to fight. 

I go back to an original thought that security policy needs to drive the
access control. And E-Bay does not have the same access control policy that
Amazon or Manufacturer 'X' does. 

An IDS that drives the access control mechanism appears on surface to be a
good and logical next step, but is the goal to reduce the manpower
requirement for an Intelligent Human analyst? If user 'M' decides that this
new product enables him to totally forgo the staffing requirement has a true
service been performed?

Rod Pieper
IA Services, EDS

-----Original Message-----
From: Gary Flynn [mailto:flynngn () jmu edu]
Sent: Wednesday, April 03, 2002 10:33 AM
To: Crispin Cowan
Cc: dont; firewall-wizards () nfr com
Subject: Re: [fw-wiz] Intrusion Prevention Firewall


Crispin Cowan wrote:


But beware: as soon as you hook your IDS to an access control mechanism,
so that when the IDS detects something it closes off access, what you
have just done is build a flakey access control policy. If you thought
the costs of managing IDSs was high, wait until you try this :)


If someone were foolish enough to blindly tie one of today's full-blown 
IDS systems to an access control device I'd agree with you. But surely
there are some IDS signatures that can trusted to accurately identify
malicious traffic, and only malicious traffic, and therefore be safe
to use to control access. While there may be a much smaller number
of these "reliable" signatures, they may serve to automatically pick off 
the low hanging fruit and therefore allow more attention to be paid 
elsewhere.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Intrusion Prevention Firewall, (continued)
- - - RE: Intrusion Prevention Firewall R. DuFresne (Apr 16)
    - Re: Intrusion Prevention Firewall Mikael Olsson (Apr 16)
    - RE: Intrusion Prevention Firewall Dave Piscitello (Apr 16)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 17)
    - RE: Intrusion Prevention Firewall Dave Piscitello (Apr 17)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 18)
    - RE: Intrusion Prevention Firewall Mike Shaw (Apr 17)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 02)
- Re: Intrusion Prevention Firewall Vern Paxson (Apr 03)
  - Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)
- RE: Intrusion Prevention Firewall Pieper, Rodney (Apr 04)
  - Re: Intrusion Prevention Firewall Gary Flynn (Apr 06)
    - Re: Intrusion Prevention Firewall dont (Apr 06)
- Re: Intrusion Prevention Firewall Vern Paxson (Apr 05)
  - Re: Intrusion Prevention Firewall Crispin Cowan (Apr 05)
- RE: Intrusion Prevention Firewall Pieper, Rodney (Apr 06)
  - RE: Intrusion Prevention Firewall Dave Piscitello (Apr 08)
- Re: Intrusion Prevention Firewall Vern Paxson (Apr 06)
- Re: Intrusion Prevention Firewall Patrick M. Hausen (Apr 16)
  - Re: Intrusion Prevention Firewall Gary Flynn (Apr 17)
    - Re: Intrusion Prevention Firewall Patrick M. Hausen (Apr 18)