RE: Changes in IDS Companies?

From: Kohlenberg, Toby (toby.kohlenberg@intel.com)
Date: 11/13/02 

Date: Wed, 13 Nov 2002 01:38:01 -0800
From: "Kohlenberg, Toby" <toby.kohlenberg@intel.com>
To: "Dominique Brezinski" <dom@decru.com>, <detmar.liesen@lds.nrw.de>, <focus-ids@securityfocus.com>

Actually, I'll have to respectfully disagree.
There are many systems that run in various environments where for one
reason or another you simply can't patch them immediately (or in some
bad cases, any time soon), in those cases, you absolutely want to
implement protective measures (firewalling, changes in configuration
(if possible), isolation, etc...) but those situations are exactly the
sort of place where a GIDS _would_ be useful and appropriate.
While it isn't the ideal or final solution (removing the vulnerability
would be that), it is a reasonable interim solution to manage the risk
until a real solution can be implemented.

As any sysadmin can tell you, sometimes the patch is worse than the
vulnerability. Downtime from a bad patch can be just as bad or worse than
downtime from a compromise. :)

All opinions are my own and in no way reflect the views of my employer.

Toby

> -----Original Message-----
> From: Dominique Brezinski [mailto:dom@decru.com]
> Sent: Tuesday, November 12, 2002 2:29 PM
> To: detmar.liesen@lds.nrw.de; focus-ids@securityfocus.com
> Subject: Re: Changes in IDS Companies?
>
>
> For a smart-ass response, see below....
>
> ----- Original Message -----
> >From: <detmar.liesen@lds.nrw.de>
> >To: <focus-ids@securityfocus.com>
> >Sent: Monday, November 11, 2002 11:40 PM
> >Subject: AW: Changes in IDS Companies?
>
>
> <snip>
> >I don't have enough practical experience to tell if the
> following idea is
> good,
> >but I suggest using a GIDS as a protecting device with just the most
> important
> >signatures that are knownt to reliably detect/block those
> attacks we fear
> most:
> >-worms
> >-trojans/backdoors
> >-well-known exploits
>
> I hate to state the obvious, but if we know enough about
> these threats to
> write a signature to detect them, then we know enough to
> re-configure our
> systems to be immune to them. Having a GIDS protect against
> such things
> just leads to a false sense of security.
>

Relevant Pages

  • Re: [patch] lockf(3) user-exploitable kernel panic
    ... I know my patch fails ... that libutil tries to provide this interface. ... The reason I asked was because I don't have access to many boxes of ... different architectures or operating systems. ...
    (freebsd-arch)
  • Re: PATCH/RFC: [kdump] fix APIC shutdown sequence
    ... this is correct behavior and it is just specific to level ... Even if my patch in the form in which I submitted it is unusable, ... Or is there any specific reason why the current code does it vice-versa? ... PRIMERGY System Software Engineer ...
    (Linux-Kernel)
  • Re: Why are so many built-in types inheritable?
    ... reason why FunctionType is not subclassable is that nobody bothered to ... why is there a need for such a patch? ... The reason why it doesn't work then seems to boil down to the ... I know about practicality beating purity, ...
    (comp.lang.python)
  • Re: [PATCH 0/4] add task handling notifier
    ... For some reason neither ever made a lot of progess (performance ... it adds runtime overhead purely for the convenience of kernel ... While I (obviously, since I submitted the patch disagree), ...
    (Linux-Kernel)
  • Re: EGNOS working at last!
    ... EGNOS satellites, so it may be worth you checking their site to see if ... there's a patch for your model. ... The reason it's so difficult and unreliable right now is that it isn't fully ... it seems a lot of money to spend on whizz-bang ...
    (uk.rec.walking)