Re: Intrusion Detection Systems

From: MaryAnne (
Date: 04/30/02

From: "MaryAnne" <>
Date: Tue, 30 Apr 2002 00:40:47 GMT

Many thanks!

"Walter Roberson" <> wrote in message
> In article <>,
> George B. Magklaras <> wrote:
> :After all, if you want to go down the cheap route due to budget
> :constraints (at your own risk!!!) you at least put SNORT in your
> :infrastructure. It costs nothing and it is certainly useful!
> I would argue with your final statement there. SNORT does not install
> itself, so at the very minimum it "costs" the installation labour.
> IDS's cannot read your mind about what are acceptable transactions and
> what are not, so SNORT also has configuration costs. The reviews I've
> read of IDS systems indicate that *every* IDS suffers from false
> positives and false negatives -- so use of SNORT has costs associated
> with investigating the false positives, and it has risk-costs
> associated with overtrusting it and so not noticing the packets it
> falsely declares acceptable.
> Is the IDS to protect against internal intrusions or against external
> intrusions? If against internal, then if you have a switched network,
> there can be non-trivial costs in arranging so that *all* the traffic
> is seen by the IDS. Switches will usually only span to a port, not to a
> VLAN, and in order to preserve the VLAN information properly [e.g., if
> one wants to watch out for attempts to hop VLANs], one might need one
> span port per vlan. One then has to securely transport that
> information to the IDS, through a parallel infrastructure that is
> faster than the aggregate traffic rate through the valid switch ports
> [otherwise IDS-relevant data might get dropped when the ports are
> busy.] This is certainly not going to be free to configure, even if one
> happens to have had all the equipment donated.
> If the IDS is to protect against external intrusions, then essentially
> what it is monitoring for is A) the possibility that the firewall has
> been compromised; and B) the possibility that the firewall has been
> configured incorrectly. But firewalls get reconfigured as new needs
> develop and as old dataflows go out of service, and the IDS's notion of
> what is allowed and what is alarming has to be updated at the same time
> as the firewall {or else you are back in the false-negative/
> false-positive territory again.} That has definite labour costs. One
> must configure the IDS separately from the firewall: if one uses a
> common control file to generate the configurations for both, then any
> slip in the common control file would leave *both* systems open and you
> might as well not have the IDS then. Even if one has two distinct
> control files and the configuration structure works very differently
> between the firewall and the IDS, a mental lapse in determining what
> needs to be changed for one of the two can all too easily be carried
> over to the other. (People tend to make the same mistakes even when
> writing in different programming languages: misread something once and
> you might well misread it again the next time.)
> In summary: you might not have to pay the people who wrote
> SNORT for the right to use it, but it is far far from the truth
> that using SNORT "costs nothing" !!
> The important question when choosing *any* IDS is,
> Are the costs of deploying this IDS less than the costs
> of *not* deploying this IDS?
> Even when there are no license costs, one should think hard
> about what one wants out of the IDS, about the extent to which that
> particular IDS can deliver those goals, and about the amount of labour
> that one can afford in maintaining the IDS.