RE: Alarm response strategies

From: Frank Knobbe (frank_at_knobbe.us)
Date: 07/27/04

  • Next message: Rob Shein: "RE: Alarm response strategies" 
    To: Rob Shein <shoten@starpower.net>
Date: Mon, 26 Jul 2004 17:51:29 -0500

    On Sun, 2004-07-25 at 20:35, Rob Shein wrote:
    > Given the fact that IDS are prone to false alarms (and easy to make trigger
    > with spoofed traffic), it's the general consensus that active responses are
    > a bad idea. For example, if I were to start scanning your network, and find
    > myself suddenly blocked at the router or firewall, I would then spoof tons
    > of UDP traffic from DNS servers that I believed you might use. Your
    > firewall would then block traffic from them, and bingo, I've just shut down
    > your ability to resolve things.

    How does the inline-type IDS differ then? Or are you under the
    impression that your spoofed traffic gets blocked both ways? Why
    shouldn't a system be able to block unsolicited inbound packets, but let
    traffic that initiated from the inside out through without blocking it?
    (Oh wait... that's a normal stateful firewall then, right?)

    My point is, you can have reactive systems. They just have to be
    implemented in a smart fashion so that silly "default attack scenarios"
    don't create the DoS of the older days reactive systems.

    Once you have a smart reactive system, it will behave like the inline
    IPS. Except that it is reactive (doesn't block first packet). But the
    advantage is that you can react from more than one traffic monitoring
    point. With inline devices you are limited to that one choke point.
    Reactive devices can be triggered by sensors from all over your network.

    That should be the main differentiator between those systems, not the
    intelligence (or lack of) behind it.

    Regards,
    Frank

  • Next message: Rob Shein: "RE: Alarm response strategies"
    • Quantcast