Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: IDS is dead, etc

Re: IDS is dead, etc

From: Scott Wimer <scottw_at_cylant.com>
Date: Fri, 08 Aug 2003 09:37:24 -0700

The perfect firewall is a thick chunk of brie with cat-5 cables jammed
into it.

The assumption that human beings can design, write, and install
software without error is WRONG. Human beings make mistakes. There
is zero emperical evidence to support the idea that complex software
will ever be free of vulnerabilities. zip. nada. none. zilch.

Proposing that networks can be secured by not using vulnerability free
software is tantamount to proposing we pursue perpetual motion
machines to solve the environmental problems caused by petroleum use.

Unfortunately, this silly notion has been the mantra of the security
industry for so long, that people are starting to believe it. What a
shame.

Will somebody please point me to an error free human endeavor?

Joy,
scottwimer

Bennett Todd wrote:
[ SNIP ]
> Understandable. I really shouldn't have included that remark; or
> else I should have expanded on it. I didn't say "properly configured
> firewall", I said "really perfectly implemented firewall", and I
> meant something different by that, although I neglected to explain.
>
> A perfectly implemented firewall allows no protocols through for
> which there are vulnerable implementations inside. That means it's
> impossible to implement a perfect firewall if you're going to allow
> Windows users to have internet access. You can come moderately
> close, with a hideous amount of work, but you'll still be very
> exposed, and an IDS will be critical reinforcement of your flawed
> security.
>
> But given suitable systems configuration, it is possbile to have a
> perfect firewall, and if you do then an IDS is just an educational
> tool, and would probably be most useful in concert with a honeypot. 

-- 
Scott M. Wimer, CTO                      Cylant
www.cylant.com                           121 Sweet Ave.
v. (208) 883-4892                        Suite 123
c. (208) 301-0370                        Moscow, ID 83843
There is no Security without Control.
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------
Received on Aug 11 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos