Re: IDS is dead, etc

From: Scott Wimer (scottw_at_cylant.com)
Date: 08/08/03

  • Next message: Bennett Todd: "Re: IDS is dead, etc"
    Date: Fri, 08 Aug 2003 11:15:25 -0700
    To: Bennett Todd <bet@rahul.net>
    
    

    Bennet,

    Here's the quote about perfecty implemented firewalls that I think is
    germain. Hopefully I'm not taking it out of context:
            "A perfectly implemented firewall allows no protocols
            through for which there are vulnerable implementations
              inside. That means it's impossible to implement a
            perfect firewall if you're going to allow Windows
            users to have internet access."

    I may very well be putting words in your mouth (for which I
    appologize) when I write about the silliness of expecting that any
    protocol will be implemented vulnerability free -- on any platform.

    Bennett Todd wrote:

    > I've heard of one device that I can believe can alert on a
    > heretofore totally unknown exploit. Not all of 'em, of course, but
    > some. That's Mazu Networks's enforcer/profiler gizmos. I myself
    > wouldn't call 'em an IDS, I think they're something different, much
    > more valuable, and their IDS functionality is the smallest part of
    > what they're good at. To my tastes, their host classification and
    > "what-if" modelling are the really hot capabilities. If they were as
    > affordable as an IDS, then I think they'd help bolster your claim,
    > but they really are something else and different.

    After a brief review of Mazu's Profiler and Enforcer docs, I'm
    currious how it handles attacks that come in via encrypted means.

    I'm not convinced that a NIDS can be more than a network management
    tool. With the caveat for things like floods of various types. From
    what I've seen, to detect and respond to all categories of exploits in
    a timely manner requires some sort of defense mechanism implemnted at
    the host. This prejudice may come from the work we do on host based
    IPS systems though. But, it's the only way I've seen to reliably stop
    exploits whether they are previously known or not.

    Regards,
    scottwimer

    -- 
    Scott M. Wimer, CTO                      Cylant
    www.cylant.com                           121 Sweet Ave.
    v. (208) 883-4892                        Suite 123
    c. (208) 301-0370                        Moscow, ID 83843
    There is no Security without Control.
    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
    Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at: http://www.captusnetworks.com/ads/31.htm
    ---------------------------------------------------------------------------
    

  • Next message: Bennett Todd: "Re: IDS is dead, etc"

    Relevant Pages

    • [fw-wiz] Corporate H/N IPS
      ... Two new categories will be Host and Network Intrusion Prevention Systems, ... IDS, they actively block traffic deemed as malicious, almost like a firewall ... previous names for a HIPS have included Network Node IDS ...
      (Firewall-Wizards)
    • RE: IDS is dead, etc
      ... The IDS must evolutionate to firewall technology and viceversa, ... > I really like your description of NIDS as AV scanners for the network. ... - Instantly Stop DoS/DDoS Attacks, ... Ensure Reliable Performance of Mission Critical Applications ...
      (Focus-IDS)
    • RE: IDS is dead, etc
      ... In my opinion IDS will dead in actual form, when you are notified about an atack is better that dont know, but is better stop the attack. ... The IDS must evolutionate to firewall technology and viceversa, firewall must include IDS technolgy, for stop attacks. ... > I really like your description of NIDS as AV scanners for the network. ... Ensure Reliable Performance of Mission Critical Applications ...
      (Focus-IDS)
    • RE: IDS
      ... Intrusion Detection System ... It is used to monitor traffic or activity on a network or host for signs ... Network based tools used for IDS: ...
      (Security-Basics)
    • Re: how to find hidden host within LAN
      ... I would also recommend placing an IDS (intrusion detection ... in a manner where they are "hidden" on the network by not using an IP ... In the last week i notice in the iptables logs that a host within ... my lan is doing a lot of traffic. ...
      (RedHat)