|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: DMZ best practices
Dominique Brezinski (dom_brezinski
securecomputing.com)
Fri, 22 Jan 1999 01:05:22 -0800
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: security: "Cisco Pix Dial-In Vunerabilities?"
- Previous message: Arjen Rijpma: "DMZ best practices"
- Next in thread: David LeBlanc: "RE: DMZ best practices"
At 09:11 AM 1/22/99 +0100, Security wrote:
>Of course, an ID sensor outside the firewall is potentially vulnerable. When
>the ID sensor has a second NIC you can monitor a network segment with no
>protocol stack involved (on the first NIC) while also using an out-of-band
>channel (on the second NIC) for communication with the ID sensor. When there
>is a firewall between the second NIC and the internal network, you have a
>well-protected ID configuration. I have seen several discussions about
>cutting the transmit wires of the cable between the ID sensor and the
>monitored network. In this case, the ID sensor is physically secured.
All true, except that many (most?) NICs have issues with the transmit pair
cut, or so I hear. There was a discussion about this sometime ago on this
list I think. There are, however, big vulnerabilities that exist in the
functional relationships between IDS and firewalls they can
actively/reactively configure. It would be inappropriate to discuss those
at the current time.
>You can monitor the DMZ with a sensor inside the DMZ. This is a proper
>solution, but in my opinion, a well-protected sensor outside the firewall
>does the same.
My question is not whether it can be done, but rather is it actually useful
or sane. I think my opinion is clear enough from my other posts on the
subject. We are all entitled to our own. It is a very rare customer that
I would design a security perimeter for that included an ID sensor outside
the first perimeter defense. It would just waste my customer's time to try
and analyze and chase down all that they would see, when a vast majority of
it is being repelled by their first perimeter defense. I might get a
thrill watching it on my own network, but I am a techy individual (clearly
insane ;) - not a company or organization.
This is just my opinion.
Dominique Brezinski CISSP (206) 898-8254
Secure Computing http://www.securecomputing.com
- Next message: security: "Cisco Pix Dial-In Vunerabilities?"
- Previous message: Arjen Rijpma: "DMZ best practices"
- Next in thread: David LeBlanc: "RE: DMZ best practices"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:02 CDT