Hosting Provided By

RE: Policy Based IDS

From: Dave Killion <Dkillion(at)netscreen.com>
Date: Wed Jul 16 2003 - 12:44:05 EDT

[Full Disclosure: I work for NetScreen, which has an in-line IDS product.]

This is why 'In-Line IDS' or 'IDP' products are becoming popular. If it matches a particularly hostile sig, it's in the routing decision path, and chooses to merely bit bucket the malicious packet, and can do other cool things like reset either end of the connection without having to guess sequence numbers.

I know we're not the only product that does this, but I like ours. ;)

Firewall signaling is generally a bad idea - way too easy to step on your <ahem> self.

Dave Killion
Senior Security Engineer
NetScreen Security Group

-----Original Message-----
From: Stefano Zanero [mailto:stefano.zanero@ieee.org] Sent: Tuesday, July 15, 2003 12:04 PM
To: focus-ids@securityfocus.com
Subject: Re: Policy Based IDS

> Cons
>
> 1) You can DoS yourself with logs and other traffic if you do not
configure
> correctly.
> 2) Potential High False Positive readings.

You missed an important "con": often, a misuse detection system will just
tell you there's something wrong, and not actually tell you what it is. This
is a real problem if the administrator is not supposed to be a security guru.

Do you need help?

Stefano

Is your IDS deployed correctly?
Find out by easily testing it with real-world attacks from CORE IMPACT. Go to www.coresecurity.com/promos/sf_eids1 to learn more.

application/x-pkcs7-signature attachment: smime.p7s

Received on Wed Jul 16 21:25:29 2003

This message: [ Message body ]
Next message: bladi: "Re: auto-response IDS againt port-scanning or attacked ip?"
Previous message: Stefano Zanero: "Re: Policy Based IDS"
Maybe in reply to: NidsKid: "Policy Based IDS"
In reply to DeGennaro, Gregory: "RE: Policy Based IDS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:16 EDT