My response to a thread about the differences between "firewalls" and "intrusion prevention systems" (IPSs) seems to have touched a nerve. A message from someone who works for an IPS vendor stated the following:
"I know that it is unlikely that I can sway you, but I do not see why the investigative role should preclude the protective role. Aren't you arguing that police should not interfere with the criminals of the world?"
"I didn't mean to imply that 'the investigative role should preclude the protective role.' I support products which protect targets from exploitation. The best incident is the one that never happens. However, I believe the detection role should not be combined with the protection role.
Remember I stress that detection of failures of protection is more important than detecting attacks.
How can a single product that performs protection know when it has failed to provide protection?
Only a separate detection product, focused on network audit, can do that."
As a follow-up, here's an example implementation of what I mean. Assume your firewall provides access control to port 22 TCP, which offers OpenSSH on several of your DMZ servers. The firewall rules deny all traffic to port 22 TCP except from certain authorized addresses. This is a smart idea since the firewall is configured to protect OpenSSH on these servers from abuse (credential guessing) and exploitation (via zero-day attack, assuming OpenSSH is patched appropriately).
In this situation, I would create a Snort rule that fires whenever an IP not on the authorized list connects to port 22 TCP. That sort of rule detects failures of protection. If for some reason the firewall is misconfigured or fails, and an intruder connects to port 22 TCP on a DMZ server, the detection system will create an alert. A secondary action involves logging session records of all connections to and from the DMZ server if possible, or logging as many sessions as possible.
This advice stands in stark contrast to researchers at Gartner and elsewhere who advocate removing IDS in favor of "deep inspection firewalls." I found an excellent rebuttal of this approach by Mike Fratto in the relatively new Secure Enterprise magazine. This periodical was first published late last year by the same folks who produce Network Computing, and I encourage readers to subscribe to SE.
I became aware of SE after reading an Internet Week article on the legality of sharing wireless bandwidth. The article features comments by former DOJ'er Mark Rasch, who recently wrote Wi-Fi High Crimes. I've been wondering about the legality of sniffing wireless traffic, and I assumed such activity constituted a wiretap as defined by 18 U.S.C. 2510. Chapter 119 - Wire and Electronic Communications Interception and Interception of Oral Communications. Lawyers seem to prefer wider interpretation of laws so as to proscribe monitoring. Richard Salgado has exemplified this view. A reply to the Rasch article noted that wireless traffic, being radio signals, may be covered by 8 U.S.C. 2511. Interception and Disclosure of Wire, Oral, or Electronic Communications Prohibited, which states:
"(g) It shall not be unlawful under this chapter or chapter 121 of this title for any person--
(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;"
Of course, I am not a lawyer, and laws can be re-interpreted at whim. Nevertheless, this sets the groundwork for someone who might be prosecuted by the Feds for passively monitoring wireless traffic. Remember that your state statutes might expressly forbid the same activity the Feds consider to be legal.