Re: Network IDS

From: Barry Fitzgerald (bkfsec_at_sdf.lonestar.org)
Date: 08/27/03

  • Next message: Frank Knobbe: "RE: Network IDS" 
    Date: Wed, 27 Aug 2003 09:38:10 -0400
To: Andreas Krennmair <netnews@synflood.at>

    Andreas Krennmair wrote:

    >
    >This analogy is flawed - network intrusion detection systems can't be
    >seen. That's the big difference to the light in the house or the
    >explosives.
    >
    >

    You misread my analogy - that was precisely my point:

    The "light/explosive" analogy was for local machine defense software or
    IPS. The fact that the IDS system isn't observed is what gives it it's
    value.

    My analogy isn't flawed - you simply misread it.

    >How is your system protected when the exploit succeeds and is detected
    >by the NIDS? Your system is compromised. The only thing where NIDS could
    >be interesting is to record all attacks and to separate the known
    >exploits from the unknown ones. That is, IMHO, the only really useful
    >way NIDS could be used.
    >
    >
    >

    How is your system protected if you're compromised and have no detection
    system in place?

           -Barry

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
    ---------------------------------------------------------------------------

  • Next message: Frank Knobbe: "RE: Network IDS"