On 23/01/06 18:30 -0500, Paul D. Robertson wrote:
On Sun, 22 Jan 2006, Devdas Bhagat wrote:
Isn't auditing against a policy exactly what an IDS is supposed to do?
Not that I've ever seen. Everything I've seen says they look for
known-bad-stuff and produce alerts and false positives.
<chorus> BOO! </chorus>
It also verifies that your security policy has been implemented
correctly at the firewall(s).
As I said, in an ideal world, sure- however I've yet to see an IDS that
really and truly knows how to even express policy, let alone check against
it (unless your policy is "no bad stuff the IDS can find!") Heck, I've
yet to see real policy<->firewall rule mapping done in an effective way
without a human.
I suspect that my terminology has gotten disconnected with the marketing
driven real world again.
To me an IDS is not necessarily something that listens on the network
only. Stuff that looks at the integrity of files on hosts, stuff that
monitors and analyzes logs is part of the IDS too. The IDS is not a
simple, single application, but a set of applications which work
together to show the differences between operational and ideal
A NIDS, or a HIDS is a part of the above, but is definitely not sufficient