[ Thanks to dgroot for
this link. ]
“If someone broke into your network, how would you know? There
wouldn’t be any muddy footprints. If you had a strong firewall that
had good logging capabilities, you might find evidence of an attack
in your logs, but a smart hacker could even get around that.“To make the case for rigorous intrusion detection beyond that
provided by firewalls and their logs, consider the case of a
classic e-mail virus: A worker receives an e-mail from a coworker’s
home account saying that he’s found a copy of a file that’s been
missing for a few months. The worker clicks on the executable
attachment that says it’s a zip file, which installs a Trojan horse
that lies in wait until it detects a period of keyboard and mouse
inactivity for long enough to assume that the worker isn’t looking
at the computer. The Trojan horse then opens a connection to a
hacker’s computer. Even if your firewall is designed to block
outbound connections on unusual ports (the vast majority are not),
nothing prevents the hacker from serving his attack software on a
common port like 80 (HTTP). Your firewall will merely see what
looks like an HTTP connection flowing out of the network to a web
server, a type of connection it sees thousands of times a
month.“This sort of attack will get right past even a strongly secured
stateful inspection firewall like Firewall-1 or SonicWALL. Only
proxy-based firewalls like Gauntlet and Symantec Enterprise
Firewall can be relied upon to reject improper protocol data on
standard ports…”