AW: Recent anti-NIDS Gartner article

The Gartner article has a very narrow point of view. IMHO an IDS is more but a NIDS or IPS or whatever network-based IDS.

An IDS (I would say Distributed IDS) is a system of several sensors - network based and host based - and a central console that provides for good analysis and automagic correlation.

Why do folks only talk about network based IDS?

AND: A modern network-based IDS or IPS (e.g. Netscreen IDP) supports fine-granular policies and shall be deployed not just behind an internet-firewall but on the internal network as well.

Most people don't care about well designed infrastructures with various securiy-zones of different security and surveillance needs.

Like most articles, the gartner paper assumes that there be one big and mighty device that provides security for a whole network. This is rubbish.

The point is firewalls cannot see into encrypted packets. A host IDS does see the decrypted data, so there is no problem. Firewalls cannot do full-range Intrusion Analysis and IMHO they shall not anyway.

A firewall is your first line of defense and shall be as simple and slim as possible, so that misconfiguration due to high complexity is unlikely.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I hope that not too many executives believe that paper of gartner...

Greetings,
Detmar

-----Ursprungliche Nachricht-----
Von: Stephen Samuel [mailto:samuel@bcgreen.com] Gesendet: Dienstag, 17. Juni 2003 21:11
An: Mike Blomgren; focus-ids@securityfocus.com Betreff: Re: Recent anti-NIDS Gartner article

Mike Blomgren wrote:
> If IDS is the looser, and a firewall is the solution - then why do we
> have surveillance cameras when we would be better off with good locks on
> our doors?

To folow the analogy: cameras record things that locks can't stop. A camera/NIDS with humans paying good attention to it can recognize things like somebody breaking a window, loitering suspiciously, etc.

No matter how good your door locks may be, it still won't stop someone from bringing in a vehicle(tank) as a battering ram. or doing something as breaking a window to get access (had that happen to me twice!). Not to mention the use of a lockpick.

With a good recording system (with or without human intervention) they can sometimes provide infomation on the identity, methods and intentions of an intruder. This can be useful either for filing later charges or simply determining what needs to be fixed to prevent a recurrence.

Firewalls can prevent some of the more obvious attacks, but a well-tuned NIDS could also recognize things like suspicious outgoing connections and malicious web/ftp sites. Those are kinds of attacks that the firewall paradigm isn't really designed to handle well.

-- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   
http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
        the jewel within each person and bring it to life.


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------



-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek