Re: Usefulness of Network Intrusion Detection Systems

From: James Riden (j.riden_at_massey.ac.nz)
Date: 05/26/04

  • Next message: Ali Rajput: "Re: Hi, I want to study IPS"
    To: focus-ids@securityfocus.com
    Date: Wed, 26 May 2004 12:36:35 +1200
    
    

    Thomas <TheTom@UnixIsNot4Dummies.ORG> writes:

    > Network-based IDSs should be limited to attacks on the
    > network layer not the application layer.
    <snip>
    > Maybe people are just doing it for fun or to suffice the
    > marketing hype... I do not know.

    Yeah, we just do it for fun :p

    > Additionally companies do not care much about switches, routers
    > or web-servers. Sure they got bad PR if it is compromised or
    > turned off but there is no direct lost of money connected with it.

    Apart from n hours of my time investigating and fixing the problem,
    usually at overtime rates? Potential compromise of confidential data?
    The cost of having staff sitting around while critical servers are
    down?

    The IDS I run is an integral part of the detection and response to
    network threats. Of course I do as much as I can about prevention, but
    on a large network where everyone wants to be relatively free, you
    will have compromises and attempted attacks; especially from worms
    such as Blaster, Welchia, Sasser and Slammer.

    The IDS helped us avoid any network downtime due to Sasser and if the
    network is down, the cost of having staff sitting idle mounts up very
    quickly indeed.

    It does take a lot of work to manage, but IMHO it's a lot better than
    having no idea what's going on in your network.

    -- 
    James Riden / j.riden@massey.ac.nz / Systems Security Engineer
    GPG public key available at: http://www.massey.ac.nz/~jriden/
    This post does not necessarily represent the views of my employer.
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Ali Rajput: "Re: Hi, I want to study IPS"