Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > IDS-list> 1999-q4

IDS Archives: Re: IDS: Combining IDS and firewalls

Re: IDS: Combining IDS and firewalls

Robert Graham (robert_david_grahamyahoo.com)
Sat, 11 Sep 1999 13:54:35 -0700 (PDT)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: CyberPsychotic: "Re: IDS: Combining IDS and firewalls"
Previous message: Bill Royds: "IDS: Combining IDS and firewalls"
Next in thread: CyberPsychotic: "Re: IDS: Combining IDS and firewalls"

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
---------------------------------------------------------------------------

---
--- Bill Royds <broydshome.com> wrote:
>   Has anyone any experience in combining firewalls with IDS? Several
> commercial Intrusion Detection systems can generate new firewall rules
> on the fly to block the possible intrusion. Has anyone used this and
> has had good or bad experience with it?
AFAIK, most IDSs will reconfigure Checkpoint firewalls.
You might also be interested in the direction that BlackICE Defender is going.
It is a scaled down version of BlackICE Sentry (competitor to RealSecure, NFR,
NetRadar, etc.) that runs on a personal computer (for ~$40) in non-promiscuous
mode. The "Defender" part means that it comes with a simplified firewall, and
that rules are dynamically added and deleted by the intrusion detection system.
The difficult part is false-positives. The appropriate response has to be
crafted for each detected intrusion. For example, we must see command/responses
go back and forth before we initiate blocking, so simple things like TCP scans
don't trigger anything.
Example: we put it on all our boxes, one of which was acting as a router. One
day we were running Cybercop Scanner at a range of machines on the other side
of the router, but for some reasons the scans weren't getting through. Of
course, what had happened is that BlackICE had conclusively determined that
Cybercop machine was evil and was blocking it. We had to go back and hard-code
"trusting" to get things working. 
Rob.
===
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com

Next message: CyberPsychotic: "Re: IDS: Combining IDS and firewalls"
Previous message: Bill Royds: "IDS: Combining IDS and firewalls"
Next in thread: CyberPsychotic: "Re: IDS: Combining IDS and firewalls"

This archive was generated by hypermail 2.0b3 on Sun Sep 12 1999 - 02:35:43 CDT