RE: Network IDS

From: Zach Forsyth (Zach.Forsyth_at_kiandra.com)
Date: 08/26/03

  • Next message: Andreas Krennmair: "Re: Network IDS"
    To: "Steffen Kluge" <kluge@fujitsu.com.au>, <focus-ids@securityfocus.com>
    Date: Tue, 26 Aug 2003 10:23:03 +1000
    
    

    How do we classify a NID that can automatically adjust firewall rules to
    enable shunning etc?
    Cisco IDS devices spring to mind...

    Although technically correct, I think it is a bit petty to state that
    IDS does not help to "protect" your network/systems.

    Cheers

    z

    -----Original Message-----
    From: Steffen Kluge [mailto:kluge@fujitsu.com.au]
    Sent: Friday, 22 August 2003 11:53 AM
    To: focus-ids@securityfocus.com
    Subject: Re: Network IDS

    On Fri, 2003-08-22 at 00:42, Barry Fitzgerald wrote:
    > Andreas Krennmair wrote:
    > >Then a NIDS is not the right thing for you. Network Intrusion
    > >Detection is not about protecting systems.
    >
    > Now, the semantic argument that says that "NIDS is not about
    > protecting
    > systems" basically states that NIDS is about protecting networks.
    > Factually, this is true - Host IDS is about protecting a *system* and
    > NIDS is about detecting intrusions over the network. But never, ever,

    > ever, ever forget that a network is composed of a group of systems.

    I believe Andreas' gripe was not with the word "systems" but with the
    word "protect". A NIDS *detects* intrusions (or more generally, unusual
    activity), but it cannot protect against them. It just informs you that
    they're happening, nothing more, nothing less.

    Of course, that information can aid *you* in taking steps to mitigate
    risks or eliminate threats before they become a problem. Most intrusions
    don't happen like a lightning bolt out of blue sky, they are usually
    preceded by activity NIDS sensors can spot (vulnerability scanning,
    random attacks against non-vulnerable systems, etc). Thus, if your NIDS
    spots the forebodings of intrusions it can give you the critical edge
    for protecting those vulnerable systems in time.

    Mind you, hybrid automatic systems do exist, such as combinations of
    NIDS detection engines and packet filters, but they wouldn't be
    correctly termed "NIDS".

    Cheers
    Steffen.

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂ’s premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
    ---------------------------------------------------------------------------


  • Next message: Andreas Krennmair: "Re: Network IDS"

    Relevant Pages

    • Re: Network IDS
      ... Network Intrusion Detection ... to protect a single server/system with an NIDS sensor. ... the semantic argument that says that "NIDS is not about protecting ... NIDS is about detecting intrusions over the network. ...
      (Focus-IDS)
    • Re: Network IDS
      ... >> is not about protecting systems. ... > to protect a single server/system with an NIDS sensor. ... > someone deploying a sensor to detect network traffic based attacks. ... My view (as an ex-IDS vendor employee) is that the IDS isn't actively ...
      (Focus-IDS)
    • Re: Network IDS
      ... >>Then a NIDS is not the right thing for you. ... Network Intrusion Detection ... >>is not about protecting systems. ... A NIDS *detects* intrusions (or more generally, ...
      (Focus-IDS)
    • Re: ASIC-based vs. Software-based Security Platform
      ... With the emergence of network processors and the FPGA ... >>and the future direction of IDS. ... I can't say it's NIDS is as ... > new ASICs, however, there is a LOT of resistance to ...
      (Focus-IDS)
    • RE: IDS is out of context--was-->IDS is dead, etc
      ... and "buts" in accurately profiling your network, ... In those contexts, the risk is high and so is the impact. ... where fw and NIDS are run by different groups, ... a NIDS is not the security "solution" that they are marketed as. ...
      (Focus-IDS)