Re: Changes in IDS Companies?

For a smart-ass response, see below....

> -----Original Message-----

I hate to state the obvious, but patching and reconfiguring every system at the whim the worm/exploit/vulnerability d'jour in a multi-thousand node environment is not really THAT easy. Heck, I'd challenge the idea that it's even possible in the first place. In fact, let's not kid ourselves; this is not just a problem for multi-thousand node environments...

So on a good day, signature-based (or methodology-"X" based) IDSs give us the visibility into activity that we really don't have a better way to identify - that is, things that are not "good," "bad," "true," or "false"... It's visibility into things that are "suspicious."

Should that make anyone feel "secure?" I don't think so. I think "aware" is a better choice of words, but this isn't a discussion about semantics... It's the whole point of IDS that people seem to be forgetting, or like me just getting confused as hell by all the propaganda from the marketing machines of the security industry. The point of IDS is not to replace firewalls or integrate/morph into "application based proxy router 5 speed blenders." They sit out-of-band and just watch all the network activity they can, and in doing so you are afforded a luxury that no other security technology can provide (ie: the ones that actually "secure" you network). They give you the flexibility to say "this *might* not be legitimate activity. If it is, that's ok because we're out-of-band and simply triggering an alert is not going to break anything. If it isn't, well, here is more information for dealing with the event." It's a passive tool used for automated log parsing and auditing existing protective security mechanisms because when you're out-of-band like that, you're allowed to take liberties those other in-line methods cannot - nothing more.

Can you integrate methodologies born from ID research into other products? Of course, which if I was paying attention correctly were the early points of this thread.

And are fully patched and perfectly configured networks a better solution? Sure. I think you were privy to situations recently where fully patched and up-to-date "secure" systems weren't immune to being remotely compromised because - specifically - of the "secure" encryption services running on them. Of course, in this case having a [signature-based (or methodology-"X" based)] IDS that could alert you to a "no job control" error on the wire in presumably encrypted traffic would have been decent. At least, it worked in the cases I saw, but it could just be perspective. IDS is what you make of it.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek