Re: Network IDS
From: Joel Snyder (Joel.Snyder_at_Opus1.COM)
Date: 08/26/03
- Previous message: Abe Usher: "towards a taxonomy of Information Assurance (IA)"
- In reply to: Zach Forsyth: "RE: Network IDS"
- Next in thread: Andreas Krennmair: "Re: Network IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 25 Aug 2003 21:44:49 -0700 To: Zach Forsyth <Zach.Forsyth@kiandra.com>
Zach Forsyth wrote:
> How do we classify a NID that can automatically adjust firewall rules to
> enable shunning etc?
"too late."
That technology is transitional. Large enterprises which have 1-week
change control cycles after the Wednesday night meeting for all firewall
changes are not really interested in having IDS products randomly
introduce changes in their firewall configurations, especially during
the middle of the day when load is high.
If you want to do a good job, you go in-line.
There is a fundamental difference between NIDS and NIPS. IPS (forgive
me for not using the longer acronym) is a technology which can be built
into a lot of different devices: switches, routers, firewalls, and
IDSes. However, this doesn't change the fundamental need for and design
requirements of an IDS, which are radically different from those of an
IPS. They both have "intrusion" in their title, but from a network
security analyst's point of view, have little in common.
Of course, the folks who are writing IDS are ideally positioned to take
that knowledge and build IPS systems, which is why you're going to see
IDS vendors also doing a good job at building IPSes. But from the point
of the view of the user, they are completely different and have
completely different functions.
jms
> Cisco IDS devices spring to mind...
>
> Although technically correct, I think it is a bit petty to state that
> IDS does not help to "protect" your network/systems.
>
> Cheers
>
> z
>
> -----Original Message-----
> From: Steffen Kluge [mailto:kluge@fujitsu.com.au]
> Sent: Friday, 22 August 2003 11:53 AM
> To: focus-ids@securityfocus.com
> Subject: Re: Network IDS
>
>
> On Fri, 2003-08-22 at 00:42, Barry Fitzgerald wrote:
>
>>Andreas Krennmair wrote:
>>
>>>Then a NIDS is not the right thing for you. Network Intrusion
>>>Detection is not about protecting systems.
>>
>>Now, the semantic argument that says that "NIDS is not about
>>protecting
>>systems" basically states that NIDS is about protecting networks.
>>Factually, this is true - Host IDS is about protecting a *system* and
>>NIDS is about detecting intrusions over the network. But never, ever,
>
>
>>ever, ever forget that a network is composed of a group of systems.
>
>
> I believe Andreas' gripe was not with the word "systems" but with the
> word "protect". A NIDS *detects* intrusions (or more generally, unusual
> activity), but it cannot protect against them. It just informs you that
> they're happening, nothing more, nothing less.
>
> Of course, that information can aid *you* in taking steps to mitigate
> risks or eliminate threats before they become a problem. Most intrusions
> don't happen like a lightning bolt out of blue sky, they are usually
> preceded by activity NIDS sensors can spot (vulnerability scanning,
> random attacks against non-vulnerable systems, etc). Thus, if your NIDS
> spots the forebodings of intrusions it can give you the critical edge
> for protecting those vulnerable systems in time.
>
> Mind you, hybrid automatic systems do exist, such as combinations of
> NIDS detection engines and packet filters, but they wouldn't be
> correctly termed "NIDS".
>
> Cheers
> Steffen.
>
>
>
> ---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worlds premier
> technical IT security event. Modeled after the famous Black Hat event in
> Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
> Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
> ---------------------------------------------------------------------------
>
-- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) jms@Opus1.COM http://www.opus1.com/jms Opus One --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worlds premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ---------------------------------------------------------------------------
- Previous message: Abe Usher: "towards a taxonomy of Information Assurance (IA)"
- In reply to: Zach Forsyth: "RE: Network IDS"
- Next in thread: Andreas Krennmair: "Re: Network IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
