Re: IDS is dead, etc
From: Jason Haar (Jason.Haar_at_trimble.co.nz)
Date: 08/12/03
- Previous message: Eric Knight: "Processing time and IDS traffic"
- In reply to: Scott Wimer: "Re: IDS is dead, etc"
- Next in thread: Frank Knobbe: "Re: IDS is dead, etc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Aug 2003 13:17:50 +1200 To: focus-ids@securityfocus.com
On Fri, Aug 08, 2003 at 10:24:46AM -0700, Scott Wimer wrote:
> I really like your description of NIDS as AV scanners for the network.
> That's classic. Although, some will argue that the more behavioral
> oriented NIDS have moved past that point. *shrug*
Heh - as they say, "there's nothing new under the Sun". AV scanners have had
"behavioral" characteristics for years - some even run sandboxes in which to
partially run the suspected file to see what it does. All this falls under
"heuristics" technology.
> invaluable tool for network managers. But, a NIDS is not the security
> "solution" that they are marketed as.
>
They have their place - but you have to think outside the square. The best
use I have found for our IDS network is *not* on it's 1,000+ alerts a day
that it generates, it's on the hand-written rules that basically say "here
are the network things our DMZ hosts are allowed to do, PAGE WHEN THEY DO
ANYTHING ELSE"...
Can you say "Zero False Positives"? [wow: IDS marketing Nirvana]
IDS's are good for showing senior management how "dangerous" the Internet is
- so that you can get more funding to buy more IDS systems - err,
wait-a-minute... ;-)
Actually there's another use. Having a visible IDS within your IT Team
allows you to show your network and server groups just _why_ they need to
install patches/stay up-to-date with training,etc. It can be hard for
Security staff to push better practices when all these groups feel is "more
work for me". I forever hear people saying "oh, no-one would be interested
in hacking *us*" - unfortunately it's all totally impersonal these day.
Eveyone is a target.
-- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
- Previous message: Eric Knight: "Processing time and IDS traffic"
- In reply to: Scott Wimer: "Re: IDS is dead, etc"
- Next in thread: Frank Knobbe: "Re: IDS is dead, etc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
