RE: Handling new vulnerabilities like WebDav - SUMMARY

Harlan Carvey wrote:

> "preventative IDS" is almost a contradiction in terms.
> Something that detects does not necessarily protect.

I agree with the contradiction i terms part :)

I suspect that by preventative/proactive IDS, people usually mean the capability to configure router access lists, (or change the firewall rule base if the IDS engine is integrated in the firewall), terminate TCP sessions by forging RST packets, and other fancy stuff the coders invent.

This is of course dangerous stuff to play with. I once saw a firewall that automatically blocked the source address whenever detecting a port scan. Considering it did this for UDP also, the potential for a DoS attack was pretty high (DNS servers comes to mind; or why not remove a couple of websites?). I for one would not like to explain to management why the very expensive _security product_ in fact managed to block all access to the all-important order system (a theoretical example, of course). Might be a good way to get rid of most of the security budget, too. ;)

These kind of things should be deployed with care, and only by people who are aware of the risks. But I hardly need to say that on this kind of list...

Finally, I do not trust IDS:es to protect me. They are not fool proof. How long did it not take the vendors to start handle fragmentet packets in a safe way? No matter how many cool defensive systems you have, sooner or later an unpatched system will cause problem (and if the administrator feel he can patch it at "leisure", the patch will be applied [too] late. I seldom hear of system admins with a lot of spare time on their hands).

Note, I am not saying that IDS:es not should be used. They should be an integrated part of the overall defese. As a warning system, they are great. But as the saying in information security goes, "there is no silver bullet".

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Kind regards,

Patrik Sternudd Received on Wed Mar 26 12:44:07 2003