Re: Network IDS

From: Andreas Krennmair (netnews_at_synflood.at)
Date: 08/21/03

  • Next message: Barry Fitzgerald: "Re: Network IDS" 
    To: focus-ids@securityfocus.com
Date: Thu, 21 Aug 2003 16:53:49 +0200

    * Barry Fitzgerald <bkfsec@sdf.lonestar.org> [gmane.comp.security.ids]:
    > Andreas Krennmair wrote:
    >
    > >
    > >Then a NIDS is not the right thing for you. Network Intrusion Detection
    > >is not about protecting systems.
    > >
    > >
    >
    > I disagree. Yes, it would seem like something of a waste of resources
    > to protect a single server/system with an NIDS sensor. But, if that
    > particular system or group of systems is mission critical, then a NIDS
    > is precisely what you need. So, even in that situation, I can see
    > someone deploying a sensor to detect network traffic based attacks.

    It can _detect_ the traffic, but it does NOT protect your system! As
    soon as you detect an attack, it has already happened, and if it was
    successful, your system is compromised. So, use secure software, since
    you can't rely on your NIDS. Why have a NIDS that records all attacks
    against a machine, when the machine is compromised after one of the
    attacks?

    > So yes, NIDS is absolutely about protecting systems!

    You have to understand that detecting an attack does not protect your
    network/system against this attack, since a NIDS sensor is totally
    passive. And intrusion prevention systems are getting "funny" as soon as
    you encounter false positives.

    > For full system protection, he should be deploying a Host IDS on the
    > servers/systems he's defending... but an NIDS is a really good idea for
    > detecting attacks that happen over the line. What if someone
    > compromises the system and kills the HIDS and deletes the logs in the
    > middle of the night?

    Use sandboxing software, e.g. systrace. It works pretty well on a number
    of Unix-like operating systems.

    Regards,
    Andreas Krennmair

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
    ---------------------------------------------------------------------------

  • Next message: Barry Fitzgerald: "Re: Network IDS"

    Relevant Pages

    • Random IDS Thoughts [WAS: Re: IDS thoughts]
      ... Commodotization of the IDS space, in general: ... grepping" vs. "protocol inspection" debate of a year ago; almost all NIDS ... that simply did not "fire" right on some attacks. ... wasn't designed to test signature coverage ...
      (Focus-IDS)
    • IPS and IDS (was RE: Changes in IDS Companies?)
      ... modifications to firewall and router ACLs/policies in response to NIDS ... >3) Many attacks are internal. ... Active NIDS, as opposed to NIPS, is certainly not real-time. ...
      (Focus-IDS)
    • Re: Test scripts for NIDS
      ... It all depends of what NIDS you are talking about. ... fabricated attacks with hping2, nmap or whatever I think could ... The only people for me are the mad ones -- the ones who are mad to live, ... Ethical Hacking at the InfoSec Institute. ...
      (Pen-Test)
    • Re: Test scripts for NIDS
      ... It all depends of what NIDS you are talking about. ... fabricated attacks with hping2, nmap or whatever I think could ... The only people for me are the mad ones -- the ones who are mad to live, ... Ethical Hacking at the InfoSec Institute. ...
      (Pen-Test)
    • Re: Network IDS
      ... > NIDS does protect your network. ... This analogy is flawed - network intrusion detection systems can't be ... Do they, alone, act to protect the ... Symanetc is the Diamond sponsor. ...
      (Focus-IDS)