Re: Network IDS

• Previous message: Terry Ziemniak: "RE: Network IDS"
• In reply to: Andreas Krennmair: "Re: Network IDS"
• Next in thread: Steffen Kluge: "Re: Network IDS"
• Reply: Steffen Kluge: "Re: Network IDS"
• Reply: Sam f. Stover: "Re: Network IDS"
• Reply: Andreas Krennmair: "Re: Network IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 21 Aug 2003 10:42:51 -0400
To: Andreas Krennmair <netnews@synflood.at>

Comments inline:

Andreas Krennmair wrote:

>
>Then a NIDS is not the right thing for you. Network Intrusion Detection
>is not about protecting systems.
>
>

I disagree. Yes, it would seem like something of a waste of resources
to protect a single server/system with an NIDS sensor. But, if that
particular system or group of systems is mission critical, then a NIDS
is precisely what you need. So, even in that situation, I can see
someone deploying a sensor to detect network traffic based attacks.

Now, the semantic argument that says that "NIDS is not about protecting
systems" basically states that NIDS is about protecting networks.
Factually, this is true - Host IDS is about protecting a *system* and
NIDS is about detecting intrusions over the network. But never, ever,
ever, ever forget that a network is composed of a group of systems.

I don't protect my network because I care about the condition of my cat5
cables or my switches (although, clearly, I do), I protect my network
with NIDS sensors because I care about the systems on the other side of
those cables.

So yes, NIDS is absolutely about protecting systems!

>Put the servers into a demilitarized zone and turn off any network
>services that are running on the workstations/thin clients.
>
>
>

That's not even nearly enough protection.

For full system protection, he should be deploying a Host IDS on the
servers/systems he's defending... but an NIDS is a really good idea for
detecting attacks that happen over the line. What if someone
compromises the system and kills the HIDS and deletes the logs in the
middle of the night?

Just placing the machine in the demilitarized zone and shutting down
unneeded services is probably what he's already doing. Even just
placing an HIDS on the system isn't enough for truly mission critical
systems.

       -Barry

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------

• Previous message: Terry Ziemniak: "RE: Network IDS"
• In reply to: Andreas Krennmair: "Re: Network IDS"
• Next in thread: Steffen Kluge: "Re: Network IDS"
• Reply: Steffen Kluge: "Re: Network IDS"
• Reply: Sam f. Stover: "Re: Network IDS"
• Reply: Andreas Krennmair: "Re: Network IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]