Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Real Traffic (was ...)

From: robert_david_graham () yahoo com (Robert Graham)
Date: Tue, 7 Dec 1999 15:35:31 -0800 (PST)


--- Lance Spitzner <lance () ksni net> wrote:

I believe a critical issue for NIDS is not only what they do, but where
you put them.  We all know we are being attacked, scanned, probed (well,
all of us except for management).  So,  putting a NID on the outside
of the firewall only shows us what we already know (and overwhelming us
with valid alerts).


Firewall logs are deceptive because they USUALLY tell you what's going on, but
not ALWAYS. For example, a UDP packet sent to port 31337 is probably a Back
Orifice ping. However, an intrusion detection system ignores the port, decodes
the contents of the UDP packet, tells you that it is Back Orifice, then tells
the operation (ping, or one of the other 50 opcodes). Needless to say, an
intrusion detection system will detect Back Orifice on any port. If you see
rejected frames at port 3000, you'll known much better what's going on with an
IDS vs. a firewall. For a clearer discussion of these issues, you might want to
check out the file below, which helps firewall admins interpret what they see:
http://www.robertgraham.com/pubs/firewall-seen.html

The biggest advantage of an IDS isn't so much that it alerts you to an attack,
but the fact that it logs attacks. In other words, the biggest value of the
system is to turn it on, then stick it in a closet. When you see something
interesting in the firewall log but cannot interpret it, simply consult the
IDS.


I believe IDS systems should monitor crtical systems,
such as your financial database.


So what you are saying is that any desktop that has rights to access the
financial database is not a critical system? In the average corporation, how
hard do you think it is to install BackOrifice into the Startup folder via
remote File and Print Sharing? Of course, since I work for a company that
produces a desktop IDS/firewall, I'm extraordinarily biased on this issue :-) 

An alternate solution is that many companies are firewalling different
departments, such that nobody else in the corporation can get to the financial
department's desktops (so there are other solutions to the problem). But in
general, a security system is only as strong as its weakest link, and Win9x
systems are well-known for being weak-links :-)

Regards,
Rob.

=====
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Thousands of Stores.  Millions of Products.  All in one place.
Yahoo! Shopping: http://shopping.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: