IDS: Re: Cisco CTR

[Eric Hacker <focus () erichacker com>]

Martin Roesch wrote:

> This is an interesting point and worth debating I think.  Accuracy is 
> a tricky thing in passive and active systems, on the one hand active 
> systems get to send what ever stimuli they want to elicit a response, 
> but when they're wrong about their interpretation of the results 
> they're 100% wrong and depending on the circumstances of the error 
> they may give you information that's 100% wrong with 100% confidence 
> (i.e. false positives/negatives).
> Passive systems have more time to play with and therefore can 
> introduce the concept of variable confidence levels and integrating 
> data points over time ranges, but they are data driven and have to 
> wait for the hosts/services/protocols/etc to reveal themselves.  In 
> the context of how accurate the two methods are, I think it'll be 
> interesting to see just how accurate passive systems can be versus the 
> false positive/negative rate of active methods.
There is no requirement that active VA systems produce a result based on 
a single stimuli-response cycle. The fact that they do is a weakness in 
product design and not active probes in general.
I like what I'm hearing about passive VA tools and how they can 
complement active VA. What I can't figure out is how I could get passive 
sensors deployed anywhere near the entire environment. I have IDS 
requirements for only a small part of the overall network and even a 
relatively small section of the server farms. I have VA requirements 
everywhere some idiot has access to a network jack.
Eric Hacker


---------------------------------------------------------------------------
---------------------------------------------------------------------------