Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

focus-ids logo IDS mailing list archives

RE: SourceFire RNA
From: "Rob Shein" <shoten () starpower net>
Date: Tue, 2 Dec 2003 11:44:30 -0500
I wouldn't say "reactive security practices don't work."  There's absolutely
no way to cover all the bases in advance, and that's just how life is; you
have to have a reactive capability to be secure.  Relying entirely on
reactive measures is a bad idea, but that's true of almost any aspect of
security.  To rely solely on proactivity is also insufficient, but that
doesn't mean that being proactive is bad.  The point here is for a system to
learn about a network without 1, making itself apparent on the network, and
2, possibly disrupting the network with traffic that it generates.  In very
large environments, it is theoretically possible that one machine may remain
quiet and be overlooked until it gets a hostile probe...but does that mean
that the added protection given to the other thousand hosts is now worth
nothing, just because Snort is reactive?


-----Original Message-----
From: Renaud Deraison [mailto:deraison () nessus org] 
Sent: Tuesday, December 02, 2003 11:36 AM
To: Rob Shein
Cc: 'Lior Tal'; focus-ids () securityfocus com
Subject: Re: SourceFire RNA


On Tue, Dec 02, 2003 at 10:46:48AM -0500, Rob Shein wrote:

The answer to this is simple.  All machines make some kind 

of noise on 

the network, from an IDS-centric view.  If the machine doesn't have 
any interaction, ever, with anything, then it's not really 

important 

from the IDS point of view, because it can't be breached WITHOUT 
interaction.  Even if the first traffic involving that 

machine is an 

attack or scan, at that point the machine becomes at least 

as visible 

to the IDS as it is to the attacker.


Waiting for an attack is not necessarily a good strategy 
either - just think about all the worms that have been 
plaguing our last summer vacations these last few years.

Reactive security practices simply don't work. If the host 
does not interact with the rest of the network, that does not 
make it more begign than any other one on the network - quite 
the contrary actually, as it suggests that it never 
downloaded any patch.


                              -- Renaud





---------------------------------------------------------------------------
---------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]