FIREWALLS & NIDS

Firewalls & NIDS

Firewalls and NIDS

Q1. For a given topology, NIDS, and firewall configurations, is a class of “bad” events always detected?

IDS Protection Myth

There are different attack patterns. Some are known network attack patterns such as a virus or a worm code while others are unusual traffic patterns that vary from the statistical normal. The Network Intrusion Detection is a system that possesses the specialty to detect both attacks known and unknown.

There is a way in which NIDS cannot detect the attack. When intruder changes the attack code or the attack contains code that is not present in the collection of signatures then NIDS become unable to detect the attack. Changing the code is not a difficult task. Altering few bytes would alter the whole code and NIDS would not be able to recognize it (Baker, 2010).

One other facet of the NIDS that is problematic is related to its process of log review and its maintenance. NIDS can create an enormous list of false positives if the tool is poorly tuned to the local network. This vast list of false alarms makes the log reviewers tired very quickly this makes them less trust worthy. There is a possibility that in this vast list of false alarms, there might be some correct alarms which can be neglected.

Firewall Protection Myth

Firewall is a very useful system. This system provides useful logging, and it also provides protection to the network from different sorts of attacks.

First and foremost it should be noted that the firewall does not protect the network that is coming from inside the network. There are certain factors against which a firewall does not provide protection. These factors include various external media such as floppy disks and CDs, pests, worms, internal modems dialing out to the external network, unauthorized wireless network etc (Denton, 2010).

For instance, a firewall may not allow a valid HTTP connection starting from the inside to an external IP address. Although, it may not be started by an existing user but by a Trojan horse program that is just downloaded on the user's computer. IDS system and firewalls may not be able to detect or normally allow a new virus or Trojan horse which is downloaded by any user who has an access to the internet. Companies may get the protection of email, web server and DNS in a DMZ, any traffic that is legitimate and is allowed by the firewall to these servers. However, the situation gets even worse when in such situations; the allowed traffic makes the usage of recently published vulnerability in any of the web server or the mail server. An intruder works by following devised process:

First of all an intruder gets the control over a DMZ host with the aid of the protocol that is allowed.

Then the intruder begins the process of communication from DMZ to a remote base over some traffic that is allowed by the firewall.

Q2. Can false alarms be raised for a given set of “good” events?

A better ...