Re: Network IDS
From: Andreas Krennmair (netnews_at_synflood.at)
Date: 08/26/03
- Previous message: Andreas Krennmair: "Re: Network IDS"
- In reply to: Barry Fitzgerald: "Re: Network IDS"
- Next in thread: Barry Fitzgerald: "Re: Network IDS"
- Reply: Barry Fitzgerald: "Re: Network IDS"
- Reply: Frank Knobbe: "Re: Network IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: focus-ids@securityfocus.com Date: Tue, 26 Aug 2003 20:53:19 +0200
* Barry Fitzgerald <bkfsec@sdf.lonestar.org> [gmane.comp.security.ids]:
> I suppose that depends on how you define "protect". If you define
> "protection" as stopping the thief, then you're absolutely correct. If
> you define "protection" as alerting you when something happens, then an
> NIDS does protect your network. I see where you're going with this, but
> I don't think that the distinction is that simple to draw. If I have
> lights on my house to try to scare away a burglar, or - more
> appropriately - if my front door is wired with explosives (sort of like
> an IPS blowing a packet away :) ) and if the burglar then tries to break
> in, they should be blown to bits, right? Well, what if they get around
> the wiring of the bomb, having noticed that the bomb was there? (or
> assuming that it might be) Then, any non-related system that detects
> the break-in is assisting in protection of the assets, correct?
This analogy is flawed - network intrusion detection systems can't be
seen. That's the big difference to the light in the house or the
explosives.
> Being alerted is a part of protection. Again, I see your point on a
> semantic level, but refuse to accept that NIDS/HIDS have no part in
> protection of the infrastructure. Do they, alone, act to protect the
> infrastructure? No - but they play a part.
How is your system protected when the exploit succeeds and is detected
by the NIDS? Your system is compromised. The only thing where NIDS could
be interesting is to record all attacks and to separate the known
exploits from the unknown ones. That is, IMHO, the only really useful
way NIDS could be used.
Regards,
Andreas Krennmair
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worlds premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------
- Previous message: Andreas Krennmair: "Re: Network IDS"
- In reply to: Barry Fitzgerald: "Re: Network IDS"
- Next in thread: Barry Fitzgerald: "Re: Network IDS"
- Reply: Barry Fitzgerald: "Re: Network IDS"
- Reply: Frank Knobbe: "Re: Network IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
