I'm with Don. I learned my security management in the military, with a
focus on physical security. If I ever told someone that we "didn't need"
motion detectors or roving guard checks because our access control was
THAT good, I don't think I would have lasted too long. Yes, in an ideal
world no "bad" traffic can get through a properly configured proxy
firewall, BUT the bad guys have imaginations, too! Often better and more
evil imaginations that the guys who wrote the protocols and maybe even
better than the guy who wrote the proxy (sorry, MJR, but it is

It seems to me like the IDS model (I do NOT accept the term "IPS" --
it's a little too confident to me!) that is really being criticized is
the model where you have a NIDS sensor outside the firewall, and maybe
another on your DMZ backbone and one on your main inside interface to
the firewall; this is a common scenario recommended by many vendors. I
agree this is pretty silly and (relatively) useless, as it's essentially
just backstopping (and front-stopping) the firewall. It's sort of a
second firewall or a different logging/analysis device for the traffic
traversing the firewall.

BUT deploying a NIDS so that it listens in on all internal (and)
boundary traffic is useful; it's analagous to the motion detector or
roving sentry. Better yet is a HIDS, which is essentially just a
real-time log aggregator and analyzer, along with a policy/signature
engine for alerting or taking action.

I agree, though, that signatures alone (enumerating badness) as a
methodology for deciding what is bad traffic are poor. This method must
be augmented/replaced with a policy-based analysis that says "alert me
about anything that doesn't look like 'X.'" By analogy again, roving
guards don't just look for specific bad guys (although if you're smart
they are probably briefed on what specific bad guys look like), they are
mostly looking for anything that is out of the ordinary. And again, I
think saying, "We don't allow that sort of thing, and therefore I don't
need to check whether it's actually HAPPENING or not" is rather
willfullly blind.

Don wrote:
>Are we forgetting one of the main reasons I believe IDS are valuable

>was this point made earlier in the thread I and didn't catch it)? Being
>an old timer, "Defense in Depth" easily comes to mind. Your firewall is
>a device on the network right? As such, heaven forbid, it might get
>hacked. What will give you a clue if it does? =20
>Maybe an IDS that is specifically tuned to alert on traffic that should
>never happen? Borrowing from another current thread, let's say

>that you do not allow X-windows traffic in from the outside. Of course
>your firewall would block it and log it, but wouldn't it be nice to

>if the firewall ever responded to a SYN with and SYN-ACK?
>I agree we don't need the IDS to tell us what we should already know
>from the firewall. And we might not need to know about the newest worm
>signature from an IDS. But I would sure be interested if I saw

>to any of these "bad" things or these "bad" things outbound. Goes back
>to "know your traffic." It's tough but it's the only way.
>Someone a long time ago said think of a firewall as the perimeter alarm
>and locks, think of IDS as motion detector. I think that is still


>"Keep your arms and hands inside the car and enjoy your ride..."=20
>"Using encryption on the Internet is the equivalent of arranging an
>armored car to deliver credit card information from someone living in a
>cardboard box to someone living on a park bench." - Gene Spafford

firewall-wizards mailing list