Hosting Provided By

Re: IDS is dead, etc

From: Jason Haar <Jason.Haar(at)trimble.co.nz>
Date: Mon Aug 11 2003 - 21:17:50 EDT

On Fri, Aug 08, 2003 at 10:24:46AM -0700, Scott Wimer wrote:
> I really like your description of NIDS as AV scanners for the network.

Heh - as they say, "there's nothing new under the Sun". AV scanners have had "behavioral" characteristics for years - some even run sandboxes in which to partially run the suspected file to see what it does. All this falls under "heuristics" technology.

> invaluable tool for network managers. But, a NIDS is not the security

They have their place - but you have to think outside the square. The best use I have found for our IDS network is *not* on it's 1,000+ alerts a day that it generates, it's on the hand-written rules that basically say "here are the network things our DMZ hosts are allowed to do, PAGE WHEN THEY DO ANYTHING ELSE"... Can you say "Zero False Positives"? [wow: IDS marketing Nirvana]

IDS's are good for showing senior management how "dangerous" the Internet is - so that you can get more funding to buy more IDS systems - err, wait-a-minute... ;-)

Actually there's another use. Having a visible IDS within your IT Team allows you to show your network and server groups just _why_ they need to install patches/stay up-to-date with training,etc. It can be hard for Security staff to push better practices when all these groups feel is "more work for me". I forever hear people saying "oh, no-one would be interested in hacking *us*" - unfortunately it's all totally impersonal these day.

Eveyone is a target.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: 
http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

Received on Mon Aug 11 21:40:54 2003

Do you need help?

This message: [ Message body ]
Next message: Paul Schmehl: "Re: False positives, negatives and don't cares"
Previous message: Eric Knight: "Processing time and IDS traffic"
In reply to Scott Wimer: "Re: IDS is dead, etc"
Next in thread: Frank Knobbe: "Re: IDS is dead, etc"
Reply: JAVIER OTERO: "RE: IDS is dead, etc"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:17 EDT