Can an IDS help when I'm behind a router?

Discussion in 'other firewalls' started by mvdu, Dec 5, 2003.

Thread Status:
Not open for further replies.
  1. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    I'm also on a home computer - not a server. But I read where some hackers are targeting routers, so I wonder if an IDS such as Norton's can enhance security.
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    An IDS must first see the network traffic in order to be able to scan and analyze it. If you have no ports forwarded in from your router to your system, then the only traffic reaching your PC will be replies to whatever communications you've initiated. I'm not sure that running an IDS on that would be nearly as valuable as running it against the incoming traffic that a web server (for example) would normally get.

    I don't run an IDS on my single (non-LAN environment) DSL attached client PC system as I never saw the value. But, perhaps others have done so and can comment on the benefits that might be involved...

    Of course, if your router is somehow taken out of the picture, a software firewall with or without an IDS would still protect your computer.
     
  3. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    I do have one port forwarded (I use it in case I file-share again.) Thanks for your opinion, and maybe others can weigh in.
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I'm behind a router too, a Linux box, and i have an IDS on it, not on my computer.
    The IDS can see all traffic, the traffic which will reach my computer, and the traffic which is drop by the firewall.

    However, since i don't run any server/services available for the Internet, it's just by curiosity more than by need.
    The IDS well configured doesn't log a lot of things, whereas firewall log grows quickly :)
     
  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Ideally, an IDS would be placed eternal to the border firewall and another internal to it (before it reaches any internal switch). But the main benefit is lost if there are few IPs on the side that each IDS monitors. So in a single IP DSL arrangement, to have it on the firewall host will not give you the degree of info that it would if there were a partial or full Class C network or greater behind it. Likewise if you have one internal to the firewall but the only thing inside it is a single host then you will see little benefit. However, the data can still be useful in a single IP environment, especially when someone is directing a stream of reconaissance probes or hack attempts.
     
  6. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    So the only befefit I'd get from a software firewall/IDS combo is greater detail in alerts? If that's the case, I'm not sure using NPF would be worth using.
     
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    You would get greater detail in the alerts but you will also get more coverage to some extent. For example, if you decide to allow Web traffic through :) once you allow it most firewalls (without IDS capability) will pass it without comment or review, however the IDS will analyse the packet stream for characteristics specified as indications of one or another sort of attempt to leverage some vulnerability. However, this will entail some degree of false positives, for instance, it may see packet contents that are consistent with attempted vulnerability exploitation of,say, a certain version of Apache web server, but if you are only running a web client on your side then obviously it is of no interest to you, but there is some degree of legwork involved to find this out (that it is of no interest to you) and if it happens consistently you would go into the IDS administration and toggle that particular rule.

    IDS's always serve as a complement to firewalls rather than as a redundancy but as stated previously, the returns on the investment in time of administration may differ depending on the network design and placement.

    Hope this helps

    {last minute note - My remarks are more geared towards Snort or Snort-based IDS (which is incorporated in some personal firewalls such as Tiny) I have no experience with Norton's implementation so it may be that the administration of its IDS is less involved but that would be some indication I think of the quality of the coverage, IMO}
     
  8. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Norton Personal Firewall has about 125 IDS signitures last time I checked - good, but not like Snort. Thanks for all the answers - they have been helpful.
     
  9. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi mvdu

    As the others have mentioned, an IDS is most beneficial if you are running services that could be exploited and forwarding traffic through the firewall. It will analyze those packets allowed through the firewall for possible malicious content based on it's signatures. Depending on the IDS it may log or drop and log the packets when a signature is matched.

    The signature based IDS in NIS was introduced in NIS2002 Pro (v4.5).

    At that time the firewall/packet filter in NIS would not handle certain stealth scans properly and respond as closed instead of dropping (stealth) the packets. The IDS would identify some of these scans and drop and log the packets. The IDS, in this example, was somewhat beneficial for those users concerned about being stealth.

    The packet filtering in the latest versions of NIS has improved and deals with these packets better now, but I have not tested without the IDS running to see how the packet filtering alone will handle all the different types of scans.

    The IDS in NIS will also drop and log outbound packets that match it's signatures preventing you from sending them. Most postings I have seen on this usually involve false alarms. But as an example, I have seen it properly identify and drop certain packets when doing vulnerability testing on systems and would require disabling the IDS when doing this testing.

    Regards,

    CrazyM
     
  10. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Thanks, CrazyM. In fact, ZAP does not recognize certain scans - though I haven't seen any that I know got through. I guess it's possible that NPF, due to its IDS, could have an advantage over ZAP when it comes to allowed apps., too. I won't ask you which one I should use - I'll decide that - but I appreciate the feedback.
     
Loading...
Thread Status:
Not open for further replies.