Jerryleo
asked on
Is it necessary to install IDS if the machine has run a firewall?
I installed the BlackICE Defender on a machine which has run Tiny Personal Firewall. But I find it can't detect/catch anything, if the firewall is running. It looks like it be installed behind the firewall and the firewall blocked all. Is it necessary to install it if the machine has run a firewall?
Please give me som comments!
Thanks a lot!
Please give me som comments!
Thanks a lot!
The answer to what you want to do is that it depends!
My preference is to have the IDS behind the firewall because mostly I am only interested in what gets through. I don't want to alarm on every scan.
On the other hand, in a commercial environment we have one outside the firewall too because it makes it easier to identify the source of an attack when NAT is operational, and it also can provide the best source of information about a Denial of Service attack.
If I were using only one sensor in a small environment, I would want it to see the traffic before it reaches the firewall. Sorry I can't help with how you would configure this with the TPF (Nice software, I use it too!).
My preference is to have the IDS behind the firewall because mostly I am only interested in what gets through. I don't want to alarm on every scan.
On the other hand, in a commercial environment we have one outside the firewall too because it makes it easier to identify the source of an attack when NAT is operational, and it also can provide the best source of information about a Denial of Service attack.
If I were using only one sensor in a small environment, I would want it to see the traffic before it reaches the firewall. Sorry I can't help with how you would configure this with the TPF (Nice software, I use it too!).
> necessary to install IDS
no.
btw, you do not have IDS (yet)
> But I find it can't detect/catch anything, if the firewall is running.
yes
> It looks like it be installed behind the firewall and the firewall blocked all.
exactly
> Is it necessary to install it if the machine has run a firewall?
no
> Please give me som comments!
Generally, it is personal taste, where most people won't run two firewalls. Possibly, consider placing the defender on the wall first, or by itself. Its claim to fame is being easier to block everything, with better forensic capability to track everything. Translation, then you don't get to do anything until you figure out how to enable, and you are more vulnerable to getting bogus alerts, or shall we say false positives. In general, needing a longer learning curve than Tiny, which has been growing in popularity.
If you are interested in going with a second product, the first choice has been to go with ZoneAlarm, since it has freeware version AND it looks at packets leaving you PC, while the Defender of NetIce does not. Together they are more of a dynamic duo. But hardware protection for wall is better, while less flexible. Once you learn more about which packets and services to enable (or not), then you can best decide.
Tiny used to be buggy and unfriendly, so I got less experience there. With growing popularity my guess is that it is, that it has become as reliable as the first two choices. See also Sygate.
Perhaps ahoffmann can discuss Tiny better, I thought I heard that it now also looks at outgoing packets, if so, may be better contrasted with Zone Labs products that NetICE's.
But usability is important. What you use has to make sense to you, or you likely won't be running some of the available features of a product. This leaves it more a personal choice. And, btw, when running software products on PC, these take cycles, meaning other apps will seem slower to run, and noticeability depends on speed of cpu and ram available. Not good to run too many of these on a very old box. ZA is reported to be the one that takes longer to run (or to have more impact in slowing down other functions).
Some people run one to figure out better what to enable/disable, then stop it and run another because it functions better at the processes desired (but may be more initially confusing in setting it up)
> I don't want to alarm on every scan
definitely. that's a drag. but I am very pro on logging everything, so I can look back in time once something new is uncovered. Do manage logging, such files can grow and grow, unnecessarily. But they are essential for debugging.
no.
btw, you do not have IDS (yet)
> But I find it can't detect/catch anything, if the firewall is running.
yes
> It looks like it be installed behind the firewall and the firewall blocked all.
exactly
> Is it necessary to install it if the machine has run a firewall?
no
> Please give me som comments!
Generally, it is personal taste, where most people won't run two firewalls. Possibly, consider placing the defender on the wall first, or by itself. Its claim to fame is being easier to block everything, with better forensic capability to track everything. Translation, then you don't get to do anything until you figure out how to enable, and you are more vulnerable to getting bogus alerts, or shall we say false positives. In general, needing a longer learning curve than Tiny, which has been growing in popularity.
If you are interested in going with a second product, the first choice has been to go with ZoneAlarm, since it has freeware version AND it looks at packets leaving you PC, while the Defender of NetIce does not. Together they are more of a dynamic duo. But hardware protection for wall is better, while less flexible. Once you learn more about which packets and services to enable (or not), then you can best decide.
Tiny used to be buggy and unfriendly, so I got less experience there. With growing popularity my guess is that it is, that it has become as reliable as the first two choices. See also Sygate.
Perhaps ahoffmann can discuss Tiny better, I thought I heard that it now also looks at outgoing packets, if so, may be better contrasted with Zone Labs products that NetICE's.
But usability is important. What you use has to make sense to you, or you likely won't be running some of the available features of a product. This leaves it more a personal choice. And, btw, when running software products on PC, these take cycles, meaning other apps will seem slower to run, and noticeability depends on speed of cpu and ram available. Not good to run too many of these on a very old box. ZA is reported to be the one that takes longer to run (or to have more impact in slowing down other functions).
Some people run one to figure out better what to enable/disable, then stop it and run another because it functions better at the processes desired (but may be more initially confusing in setting it up)
> I don't want to alarm on every scan
definitely. that's a drag. but I am very pro on logging everything, so I can look back in time once something new is uncovered. Do manage logging, such files can grow and grow, unnecessarily. But they are essential for debugging.
> TPF (Nice software,
<sigh> sorry to miss it, I also go: "Perhaps tonimargiotta can discuss Tiny better", (than I can at this time)
<sigh> sorry to miss it, I also go: "Perhaps tonimargiotta can discuss Tiny better", (than I can at this time)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks everyone for your comments.
I am a newbi. I am interested in network security. I have heard of people combining several firewall technologies and their discuss, such as,
"Firewalls are not designed to detect attacks. Instead, they are designed to be an "On" or "Off" switch based on either IP addresses, protocols, or UDP or TCP ports, it does not log this potentially damaging traffic, it simply block undesirable traffic."
"One major flaw of personal firewalls is that if the end-user programs it incorrectly, it will fail with no warning. "
"Firewall drivers may emphasize the inspection of outbound
packets. IDS may emphasize the inspection of inbound packets."
And I know a friend has been hacked from outside LAN.
All of above make me confused. And I decided to do a test myself. After I isntalled Tiny Personal Firewall and Blackice Defender on the same machine. I can not find the IDS effect, if I have run a firewall.
I am a newbi. I am interested in network security. I have heard of people combining several firewall technologies and their discuss, such as,
"Firewalls are not designed to detect attacks. Instead, they are designed to be an "On" or "Off" switch based on either IP addresses, protocols, or UDP or TCP ports, it does not log this potentially damaging traffic, it simply block undesirable traffic."
"One major flaw of personal firewalls is that if the end-user programs it incorrectly, it will fail with no warning. "
"Firewall drivers may emphasize the inspection of outbound
packets. IDS may emphasize the inspection of inbound packets."
And I know a friend has been hacked from outside LAN.
All of above make me confused. And I decided to do a test myself. After I isntalled Tiny Personal Firewall and Blackice Defender on the same machine. I can not find the IDS effect, if I have run a firewall.
ASKER
BTW, is there an example that a machine installed a personal firewall and antivirus app still been hacked? And it can avoid by combining a IDS.
OR, it may be like ahoffmann said, "Keep in mind that when thinking about IDS, you need to be pedantic paranoid"
OR, it may be like ahoffmann said, "Keep in mind that when thinking about IDS, you need to be pedantic paranoid"
> "Firewall drivers may emphasize the inspection of outbound
> packets. IDS may emphasize the inspection of inbound packets."
This is just half the truth, a firewall should work the same way in both directions (if not, simply forget it).
> BTW, is there an example that a machine installed a personal firewall and antivirus app still been hacked?
Have seen such a hack described in one of the security sites http://www.securitfocus.com http://www.sans.org or alike (sorry, lost the link), and the statetements of some personal forewall vendors all claiming that it's not their but the fault of the underlaying OS.
So, if you're paranoid, such PFs are useless, they simply protect you from well-know stupid script kiddies ...
> And it can avoid by combining a IDS.
Hmm, it can, if you know how to manage the alerts produced by the IDS (see the notes about false positives and false negatives). But a IDS also may not detect all attacks, even if you configured it with a high false positive rate.
> packets. IDS may emphasize the inspection of inbound packets."
This is just half the truth, a firewall should work the same way in both directions (if not, simply forget it).
> BTW, is there an example that a machine installed a personal firewall and antivirus app still been hacked?
Have seen such a hack described in one of the security sites http://www.securitfocus.com http://www.sans.org or alike (sorry, lost the link), and the statetements of some personal forewall vendors all claiming that it's not their but the fault of the underlaying OS.
So, if you're paranoid, such PFs are useless, they simply protect you from well-know stupid script kiddies ...
> And it can avoid by combining a IDS.
Hmm, it can, if you know how to manage the alerts produced by the IDS (see the notes about false positives and false negatives). But a IDS also may not detect all attacks, even if you configured it with a high false positive rate.
> Is it necessary to install IDS if the machine has run a firewall?
No. Real IDS is expensive, and not real inclusive either (in completeness)
You seem low budget, stick to current path, but exercise the tools you have, learn them well. Develop habits your mother would be proud of
No. Real IDS is expensive, and not real inclusive either (in completeness)
You seem low budget, stick to current path, but exercise the tools you have, learn them well. Develop habits your mother would be proud of
> a machine installed a personal firewall and antivirus app still been hacked?
too many, i don't want to help (prospective abuser reader)
Think of the weekly vulnerabilities of past year. This includes browser, OS, and EM. The kinds of things that firewall is told are ok
too many, i don't want to help (prospective abuser reader)
Think of the weekly vulnerabilities of past year. This includes browser, OS, and EM. The kinds of things that firewall is told are ok
Once you plug into network, best security is blown.
if you want to configure permitting of Love_Notes and attachments from strangers, and insist on running them, there is not much anyone at experts-exchange can do to secure your system
if you want to configure permitting of Love_Notes and attachments from strangers, and insist on running them, there is not much anyone at experts-exchange can do to secure your system
?
Electronic Mail is one popular example of packets that get through both firewall and A/V. A simple one. It is not a good idea to describe here how TheDisgruntled can bypass your firewall.
> I can not find the IDS effect
I haven't a clue what you mean. Are you reviewing log files? btw, ids not so perfect either, just costs more
> I can not find the IDS effect
I haven't a clue what you mean. Are you reviewing log files? btw, ids not so perfect either, just costs more
http://www.intrusion.com/
http://www.intrusion.com/products/product.asp?lngProdNmId=2&lngCatId=4
ex: "core architecture provide for more attacks to be identified at higher speeds."
http://www.intrusion.com/products/product.asp?lngProdNmId=2&lngCatId=4
ex: "core architecture provide for more attacks to be identified at higher speeds."
What OS?
Many won't do XP yet
Many won't do XP yet
ASKER
Thanks for veryone give me comments. The only discommodiousness is that I can not accept multi comments as answer. But I will grade veryone with a standalone question named "Questiong for ...".
Thanks again!
Thanks again!
ditto.
Hence I approve of beginning with under 50 points (else why permit lower) and go that route as well
Hence I approve of beginning with under 50 points (else why permit lower) and go that route as well
An IDS is *not* a firewall, you may say that it "assists" a firewall to detect attacks.
I.g. it doesnt make much sense to run an IDS on the firewall itself.
Pedantic security people place one IDS before, and on e behind the firewall, then compare the results.