Solved

Is it necessary to install IDS if the machine has run a firewall?

Posted on 2002-03-12
18
185 Views
Last Modified: 2013-11-16
I installed the BlackICE Defender on a machine which has run Tiny Personal Firewall. But I find it can't detect/catch anything, if the firewall is running. It looks like it be installed behind the firewall and the firewall blocked all.  Is it necessary to install it if the machine has run a firewall?

Please give me som comments!

Thanks a lot!
0
Comment
Question by:Jerryleo
  • 7
  • 4
  • 3
  • +2
18 Comments
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
a firewall cannot detect all attacks. Some packets are simply dropped, doesnt matter if they are part of an attack or not.
An IDS is *not* a firewall, you may say that it "assists" a firewall to detect attacks.

I.g. it doesnt make much sense to run an IDS on the firewall itself.
Pedantic security people place one IDS before, and on e behind the firewall, then compare the results.
0
 
LVL 1

Expert Comment

by:tonimargiotta
Comment Utility
The answer to what you want to do is that it depends!

My preference is to have the IDS behind the firewall because mostly I am only interested in what gets through.  I don't want to alarm on every scan.

On the other hand, in a commercial environment we have one outside the firewall too because it makes it easier to identify the source of an attack when NAT is operational, and it also can provide the best source of information about a Denial of Service attack.

If I were using only one sensor in a small environment, I would want it to see the traffic before it reaches the firewall.  Sorry I can't help with how you would configure this with the TPF (Nice software, I use it too!).
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
> necessary to install IDS

no.
btw, you do not have IDS (yet)

> But I find it can't detect/catch anything, if the firewall is running.

yes

> It looks like it be installed behind the firewall and the firewall blocked all.

exactly

> Is it necessary to install it if the machine has run a firewall?

no

> Please give me som comments!

Generally, it is personal taste, where most people won't run two firewalls. Possibly, consider placing the defender on the wall first, or by itself. Its claim to fame is being easier to block everything, with better forensic capability to track everything. Translation, then you don't get to do anything until you figure out how to enable, and you are more vulnerable to getting bogus alerts, or shall we say false positives. In general, needing a longer learning curve than Tiny, which has been growing in popularity.

If you are interested in going with a second product, the first choice has been to go with ZoneAlarm, since it has freeware version AND it looks at packets leaving you PC, while the Defender of NetIce does not. Together they are more of a dynamic duo. But hardware protection for wall is better, while less flexible. Once you learn more about which packets and services to enable (or not), then you can best decide.

Tiny used to be buggy and unfriendly, so I got less experience there. With growing popularity my guess is that it is, that it has become as reliable as the first two choices. See also Sygate.

Perhaps ahoffmann can discuss Tiny better, I thought I heard that it now also looks at outgoing packets, if so, may be better contrasted with Zone Labs products that NetICE's.

But usability is important. What you use has to make sense to you, or you likely won't be running some of the available features of a product. This leaves it more a personal choice. And, btw, when running software products on PC, these take cycles, meaning other apps will seem slower to run, and noticeability depends on speed of cpu and ram available. Not good to run too many of these on a very old box. ZA is reported to be the one that takes longer to run (or to have more impact in slowing down other functions).

Some people run one to figure out better what to enable/disable, then stop it and run another because it functions better at the processes desired (but may be more initially confusing in setting it up)

>  I don't want to alarm on every scan

definitely. that's a drag. but I am very pro on logging everything, so I can look back in time once something new is uncovered. Do manage logging, such files can grow and grow, unnecessarily. But they are essential for debugging.
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
> TPF (Nice software,

<sigh> sorry to miss it, I also go: "Perhaps tonimargiotta  can discuss Tiny better", (than I can at this time)
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 15 total points
Comment Utility
> > But I find it can't detect/catch anything, if the firewall is running.
> yes

NO.

> > It looks like it be installed behind the firewall and the firewall blocked all.
> exactly

PROBABLY (depends on the quality of that program)

> > Is it necessary to install it if the machine has run a firewall?
> no

YES, if you want to know what happens behind the firewall.

> .. it is personal taste,
agreed.

> .. false positives.
hmm, these are not a problem (except ignoring). False positive cause the trouble.

> .. Zone .. Tiny .. Black ..
IMHO, forget it all, 'cause they all can be circumvented using some widly open backdoors on the underlaying M$orwhatever (see appropriate comments on the vendors home pages: It's not the fault of our product, but of the underlaying ...)

> But usability is important.
Depends.
Either you know what you whant to do, and then you simply do it. Or you don't, then any usability is useless, anyhow.

> This leaves it more a personal choice
Agreed ;-)

Keep in mind that when thinking about IDS, you need to be pedantic paranoid (as I'm:)

0
 

Author Comment

by:Jerryleo
Comment Utility
Thanks everyone for your comments.

I am a newbi. I am interested in network security. I have heard of people combining several firewall technologies and their discuss, such as,

"Firewalls are not designed to detect attacks. Instead, they are designed to be an "On" or "Off" switch based on either IP addresses, protocols, or UDP or TCP ports, it does not log this potentially damaging traffic, it simply block undesirable traffic."

"One major flaw of personal firewalls is that if the end-user programs it incorrectly, it will fail with no warning. "

"Firewall drivers may emphasize the inspection of outbound
packets. IDS may emphasize the inspection of inbound packets."


And I know a friend has been hacked from outside LAN.

All of above make me confused. And I decided to do a test myself.  After I isntalled Tiny Personal Firewall and Blackice Defender on the same machine. I can not find the IDS effect, if I have run a firewall.
0
 

Author Comment

by:Jerryleo
Comment Utility
BTW, is there an example that a machine installed a personal firewall and antivirus app still been hacked?  And it can avoid by combining a IDS.

OR, it may be like ahoffmann said, "Keep in mind that when thinking about IDS, you need to be pedantic paranoid"
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> "Firewall drivers may emphasize the inspection of outbound
> packets. IDS may emphasize the inspection of inbound packets."

This is just half the truth, a firewall should work the same way in both directions (if not, simply forget it).

> BTW, is there an example that a machine installed a personal firewall and antivirus app still been hacked?

Have seen such a hack described in one of the security sites http://www.securitfocus.com http://www.sans.org or alike (sorry, lost the link), and the statetements of some personal forewall vendors all claiming that it's not their but the fault of the underlaying OS.
So, if you're paranoid, such PFs are useless, they simply protect you from well-know stupid script kiddies ...

> And it can avoid by combining a IDS.
Hmm, it can, if you know how to manage the alerts produced by the IDS (see the notes about false positives and false negatives). But a IDS also may not detect all attacks, even if you configured it with a high false positive rate.
0
 
LVL 3

Expert Comment

by:FlamingSword
Comment Utility
> Is it necessary to install IDS if the machine has run a firewall?

No. Real IDS is expensive, and not real inclusive either (in completeness)

You seem low budget, stick to current path, but exercise the tools you have, learn them well. Develop habits your mother would be proud of
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 3

Expert Comment

by:FlamingSword
Comment Utility
> a machine installed a personal firewall and antivirus app still been hacked?

too many, i don't want to help (prospective abuser reader)

Think of the weekly vulnerabilities of past year. This includes browser, OS, and EM. The kinds of things that firewall is told are ok
0
 
LVL 3

Expert Comment

by:FlamingSword
Comment Utility
Once you plug into network, best security is blown.

if you want to configure permitting of Love_Notes and attachments from strangers, and insist on running them, there is not much anyone at experts-exchange can do to secure your system
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
?
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
Electronic Mail is one popular example of packets that get through both firewall and A/V. A simple one. It is not a good idea to describe here how TheDisgruntled can bypass your firewall.

> I can not find the IDS effect

I haven't a clue what you mean.  Are you reviewing log files? btw, ids not so perfect either, just costs more
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
http://www.intrusion.com/
http://www.intrusion.com/products/product.asp?lngProdNmId=2&lngCatId=4

ex: "core architecture provide for more attacks to be identified at higher speeds."
0
 
LVL 3

Expert Comment

by:FlamingSword
Comment Utility
What OS?
Many won't do XP yet
0
 

Author Comment

by:Jerryleo
Comment Utility
Thanks for veryone give me comments. The only discommodiousness is that I can not accept multi comments as answer. But I will grade veryone with a standalone question named "Questiong for ...".

Thanks again!
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
ditto.
Hence I approve of beginning with under 50 points (else why permit lower) and go that route as well
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now