Re: IDS is dead, etc

From: Jason Haar (
Date: 08/12/03

  • Next message: Paul Schmehl: "Re: False positives, negatives and don't cares"
    Date: Tue, 12 Aug 2003 13:17:50 +1200

    On Fri, Aug 08, 2003 at 10:24:46AM -0700, Scott Wimer wrote:
    > I really like your description of NIDS as AV scanners for the network.
    > That's classic. Although, some will argue that the more behavioral
    > oriented NIDS have moved past that point. *shrug*

    Heh - as they say, "there's nothing new under the Sun". AV scanners have had
    "behavioral" characteristics for years - some even run sandboxes in which to
    partially run the suspected file to see what it does. All this falls under
    "heuristics" technology.

    > invaluable tool for network managers. But, a NIDS is not the security
    > "solution" that they are marketed as.

    They have their place - but you have to think outside the square. The best
    use I have found for our IDS network is *not* on it's 1,000+ alerts a day
    that it generates, it's on the hand-written rules that basically say "here
    are the network things our DMZ hosts are allowed to do, PAGE WHEN THEY DO

    Can you say "Zero False Positives"? [wow: IDS marketing Nirvana]

    IDS's are good for showing senior management how "dangerous" the Internet is
    - so that you can get more funding to buy more IDS systems - err,
    wait-a-minute... ;-)

    Actually there's another use. Having a visible IDS within your IT Team
    allows you to show your network and server groups just _why_ they need to
    install patches/stay up-to-date with training,etc. It can be hard for
    Security staff to push better practices when all these groups feel is "more
    work for me". I forever hear people saying "oh, no-one would be interested
    in hacking *us*" - unfortunately it's all totally impersonal these day.

    Eveyone is a target.

    Jason Haar
    Information Security Manager, Trimble Navigation Ltd.
    Phone: +64 3 9635 377 Fax: +64 3 9635 417
    PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
    Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:

  • Next message: Paul Schmehl: "Re: False positives, negatives and don't cares"