Hosting Provided By

Re: IDS is dead, etc

From: Sebastian Schneider <ses(at)straightliners.de>
Date: Thu Aug 07 2003 - 18:08:28 EDT

Regarding the philosophical issue brought up by Paul Schmehl I guess for sure NIDS sensors might be quite useful if located at strategical points as Thomas Arsenault points out.

However, properly planned and implemented NIDS sensors are not just helpful for analyzing inbound traffic, they can also be a good indicator for checking security policies and violations of these.

So the issue actually is, which NIDS sensor placed where should scan for what. I mean, NIDS's within the internal network should be adopted to the environmental needs to minimize false positives/negatives.

Still sensors places at strategical points might be helpful for analyzing still unknown threats. A properly installed intrusion detection system is able to log threats though there not public yet by examining the traffic.

If you're being attacked which means help you even realizing that you've been attacked. Usually firewall logs as is won't help you that much. Usually you just don't know, if there has someone trying to use an vulnerability against your server software to gain unprivileged access.

Another point is, that programs like DeepSight do data mining and evaluation to keep track on whats happening world-wide regarding security issues. This is really helpful for security engineers/vendors to develop signatures and counter measures to stop new threats.

An NIDS placed in front of a firewall could be quite useful not just to identify and track attacks. Taking counter-measures proactively (like blocking) is a big deal. So why should attacks for known vulnerabilities enter your "secured" network? And which security engineers is going like "hey, when there is a vulnerability i will know since servers will break down or whatever".

Sebastian Schneider
straightLiners IT Consulting & Services
ses@straighliners.de

Do you need help?

On Thursday 07 August 2003 21:00, Tom Arseneault wrote:
> My point was "In a perfect world with unlimited resources" monitoring for

Captus Networks - Integrated Intrusion Prevention and Traffic Shaping

Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
Automatically Control P2P, IM and Spam Traffic
Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm

Received on Thu Aug 7 17:37:49 2003

This message: [ Message body ]
Next message: Barry Fitzgerald: "Re: IDS is dead, etc"
In reply to Tom Arseneault: "RE: IDS is dead, etc"
Next in thread: Barry Fitzgerald: "Re: IDS is dead, etc"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:16 EDT