Re: Newbie IDS questions

From: Drew (simonis@myself.com)
Date: 01/10/02


Date: Thu, 10 Jan 2002 00:06:37 -0500
From: Drew <simonis@myself.com>
To: Mike Hrubes <MHrubes@wizmo.com>

Mike Hrubes wrote:
>
> Hi all,
>
> I'm new to the IDS world. I understand what an IDS does, and why you
> need it, but I have some questions on the technical aspect of IDS. We
> are planning on implementing an IDS in the near future. The idea that
> has been proposed is to put the IDS in the path between connections,
> rather than connected in promiscuous mode. The reason they want to do
> this is so they can also run a blocking software, like portsentry, to
> block unwanted scans, etc.

Isn't this the way that a Cisco router with IDS feature set installed
works? Personally, I don't like the idea of introducing more
complication into the network. Whereas running the IDS feature set
on a IOS device adds functionality to an existing network unit, this
solution brings us a new target. I much prefer using IDS in a silent
configuration in such a way that it cannot become a target to the
attacker.

I'm also not sure why running something like portsentry would preclude
you from using a promiscuous type IDS. Can you clarify?

-Ds