RE: Intrusion Prevention Firewall

["Pieper, Rodney" <rodney.pieper () eds com>]

Is this IDS operating inside the security boundary or outside? 

If an IDS outside the protective boundary drops/kills a potentially harmful
session then it would presumably not require a modification to the firewall.
This architecture would continue to protect the network without moving the
rule downwards.

If the IDS is an internal system, moving the response up the network towards
the perimeter connection is perhaps a good idea -- presuming that the
problem originated outside the network.

The internal IDS also has responsibility for incidents which originate
inside the network - (60%). These would be problematic if the response was
moved to the firewall.

Rod Pieper
EDS - IA



-----Original Message-----
From: Vern Paxson [mailto:vern () icir org]
Sent: Thursday, April 04, 2002 4:49 PM
To: Crispin Cowan
Cc: firewall-wizards () nfr com
Subject: Re: [fw-wiz] Intrusion Prevention Firewall 


> The key question is the 
> false positive rate.

Yep!

> Is it the case that your Bro IDS scripts are not 
> generating false positives? Or that your users don't mind so much if a 
> legitimate session gets killed? Or a compromise, where the proactive 
> session-killing is only connected to IDS scripts that have particularly 
> low false positives?

It's in particular the last.

We get a false positive every couple of weeks, and of course we work on
ways to lower them.  (Bro is conducive to adding these sorts of exceptions.)

But we get dozens of true positives every day, which is the pay-off.

                Vern
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards