RE: IDS is dead, etc

From: Security Conscious (mail_at_security-conscious.com)
Date: 08/11/03

  • Next message: Frank Knobbe: "Re: IDS is dead, etc"
    To: <focus-ids@securityfocus.com>
    Date: Mon, 11 Aug 2003 12:56:23 -0400
    
    

    Imho, a perfectly implemented firewall is one that optimally enforces
    the access control policy of the organization. Unfortunately many
    companies access control policies require allowing insecure and/or
    potentially vulnerable protocols into the network for e-commerce, office
    productivity, etc. I don't see this changing anytime soon.

    How does this relate to IDS is Dead? When companies open themselves up
    to risk, they should audit what they cannot control (prevent). I look
    at IDS as an extension of the audit function and when the SEC stops
    requiring companies to audit their financial statements, I'll believe IT
    can stop auditing their networks and systems.

    Chris Petersen
    President/CTO
    Security Conscious, Inc.
    (703) 873-4739 (direct)
    (301) 523-1989 (mobile)
    chris@security-conscious.com
    www.security-conscious.com

    > -----Original Message-----
    > From: Scott Wimer [mailto:scottw@cylant.com]
    > Sent: Friday, August 08, 2003 2:15 PM
    > To: Bennett Todd
    > Cc: Barry Fitzgerald; Tom Arseneault; 'Mark Tinberg'; 'Paul
    > Schmehl'; focus-ids@securityfocus.com
    > Subject: Re: IDS is dead, etc
    >
    >
    > Bennet,
    >
    > Here's the quote about perfecty implemented firewalls that I think is
    > germain. Hopefully I'm not taking it out of context:
    > "A perfectly implemented firewall allows no protocols
    > through for which there are vulnerable implementations
    > inside. That means it's impossible to implement a
    > perfect firewall if you're going to allow Windows
    > users to have internet access."
    >
    > I may very well be putting words in your mouth (for which I
    > appologize) when I write about the silliness of expecting that any
    > protocol will be implemented vulnerability free -- on any platform.
    >
    > Bennett Todd wrote:
    >
    > > I've heard of one device that I can believe can alert on a
    > heretofore
    > > totally unknown exploit. Not all of 'em, of course, but
    > some. That's
    > > Mazu Networks's enforcer/profiler gizmos. I myself wouldn't
    > call 'em
    > > an IDS, I think they're something different, much more
    > valuable, and
    > > their IDS functionality is the smallest part of what
    > they're good at.
    > > To my tastes, their host classification and "what-if" modelling are
    > > the really hot capabilities. If they were as affordable as an IDS,
    > > then I think they'd help bolster your claim, but they really are
    > > something else and different.
    >
    > After a brief review of Mazu's Profiler and Enforcer docs, I'm
    > currious how it handles attacks that come in via encrypted means.
    >
    > I'm not convinced that a NIDS can be more than a network management
    > tool. With the caveat for things like floods of various types. From
    > what I've seen, to detect and respond to all categories of
    > exploits in
    > a timely manner requires some sort of defense mechanism implemnted at
    > the host. This prejudice may come from the work we do on host based
    > IPS systems though. But, it's the only way I've seen to
    > reliably stop
    > exploits whether they are previously known or not.
    >
    > Regards,
    > scottwimer
    > --
    > Scott M. Wimer, CTO Cylant
    > www.cylant.com 121 Sweet Ave.
    > v. (208) 883-4892 Suite 123
    > c. (208) 301-0370 Moscow, ID 83843
    > There is no Security without Control.
    >
    >
    > --------------------------------------------------------------
    > -------------
    > Captus Networks - Integrated Intrusion Prevention and Traffic
    > Shaping
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Ensure Reliable Performance of Mission Critical
    > Applications Precisely Define and Implement Network Security
    > and Performance Policies **FREE Vulnerability Assessment
    > Toolkit - WhitePapers - Live Demo Visit us at:
    > http://www.captusnetworks.com/ads/31.htm
    >
    > --------------------------------------------------------------
    > -------------
    >
    >

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
    Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at: http://www.captusnetworks.com/ads/31.htm
    ---------------------------------------------------------------------------


  • Next message: Frank Knobbe: "Re: IDS is dead, etc"

    Relevant Pages

    • RE: File Encryption - Laptop
      ... Subject: File Encryption - Laptop ... SafeBoot, from Control Break International. ... connects to the network it talks ... > - Precisely Define and Implement Network Security ...
      (Security-Basics)
    • Re: Categories of IDS
      ... BISYS Network Security Group ... I really need to update the categories of IDS on my website. ... Long overdue Host IPS - Has anyone got a list that I can use for starters ...
      (Focus-IDS)
    • Re: Hi, I want to study IPS
      ... Its good to hear that you want to study IPS. ... Presently i am working on a host-based IDS to submit as ... and use a more structured network. ... > control center. ...
      (Focus-IDS)
    • OT Who Runs the World ? =?UTF-8?B?4oCTIE5ldHdvcmsgQW5hbHlzaXMgUmU=?= =?UTF-8?B?dmVhbHMg4oCYU
      ... Corporate Control ... In the first such analysis ever conducted, Swiss economic researchers have conducted a global network analysis of the most powerful transnational corporations (TNCs). ... A bow-tie consists of in-section, out-section, strongly connected component or core (SCC), and tubes and tendrils. ...
      (alt.sports.basketball.nba.la-lakers)
    • =?windows-1252?Q?Re=3A_OT_Who_Runs_the_World_=3F_=96_Network_Analysis_Rev?= =?windows-1252?Q
      ... transnational corporations (TNCs). ... But now we have the results of a global network analysis (Vitali, ... control held by each global player. ... connected component or core (SCC), ...
      (alt.sports.basketball.nba.la-lakers)