Re: IDS is dead, etc
From: Scott Wimer (scottw_at_cylant.com)
Date: 08/08/03
- Previous message: Bennett Todd: "Re: IDS is dead, etc"
- In reply to: Bennett Todd: "Re: IDS is dead, etc"
- Next in thread: Bennett Todd: "Re: IDS is dead, etc"
- Reply: Bennett Todd: "Re: IDS is dead, etc"
- Reply: Security Conscious: "RE: IDS is dead, etc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 08 Aug 2003 11:15:25 -0700 To: Bennett Todd <bet@rahul.net>
Bennet,
Here's the quote about perfecty implemented firewalls that I think is
germain. Hopefully I'm not taking it out of context:
"A perfectly implemented firewall allows no protocols
through for which there are vulnerable implementations
inside. That means it's impossible to implement a
perfect firewall if you're going to allow Windows
users to have internet access."
I may very well be putting words in your mouth (for which I
appologize) when I write about the silliness of expecting that any
protocol will be implemented vulnerability free -- on any platform.
Bennett Todd wrote:
> I've heard of one device that I can believe can alert on a
> heretofore totally unknown exploit. Not all of 'em, of course, but
> some. That's Mazu Networks's enforcer/profiler gizmos. I myself
> wouldn't call 'em an IDS, I think they're something different, much
> more valuable, and their IDS functionality is the smallest part of
> what they're good at. To my tastes, their host classification and
> "what-if" modelling are the really hot capabilities. If they were as
> affordable as an IDS, then I think they'd help bolster your claim,
> but they really are something else and different.
After a brief review of Mazu's Profiler and Enforcer docs, I'm
currious how it handles attacks that come in via encrypted means.
I'm not convinced that a NIDS can be more than a network management
tool. With the caveat for things like floods of various types. From
what I've seen, to detect and respond to all categories of exploits in
a timely manner requires some sort of defense mechanism implemnted at
the host. This prejudice may come from the work we do on host based
IPS systems though. But, it's the only way I've seen to reliably stop
exploits whether they are previously known or not.
Regards,
scottwimer
-- Scott M. Wimer, CTO Cylant www.cylant.com 121 Sweet Ave. v. (208) 883-4892 Suite 123 c. (208) 301-0370 Moscow, ID 83843 There is no Security without Control. --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
- Previous message: Bennett Todd: "Re: IDS is dead, etc"
- In reply to: Bennett Todd: "Re: IDS is dead, etc"
- Next in thread: Bennett Todd: "Re: IDS is dead, etc"
- Reply: Bennett Todd: "Re: IDS is dead, etc"
- Reply: Security Conscious: "RE: IDS is dead, etc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
