IDS: Re: SourceFire RNA

[Jason <security () brvenik com>]

Renaud Deraison wrote:

> On Tue, Dec 02, 2003 at 05:27:57PM -0500, Jason wrote:
>
> > The concern is that an inactive host is a greater threat to your network 
> > and the implication is that an active probe will flush these out. 
> >                     This is simply not true. For a host to be truly 
> > inactive it would have to not ARP, never broadcast, 
>
> This assumes that your passive scanner is sitting on the same physical subnet
> as the hosts you are monitoring. If you are a large organization, I
> really doubt you can deploy such scanners easily, as it would be both
> very costly and may raise political issues.
It does assume that there is visibility of the segment. I think that 
getting visibility of the segment for any org truly concerned about 
potentially muted hosts will go this way or accept that without local 
visibility the potential problem cannot be overcome.
> > and never respond to 
> > a probe... 
>
> Where does the probe come from ? If there is a no-scan policy, what will
> make the remote host generate any traffic towards you ?
A probe could be a blind attempt to compromise, an administrative 
function, an active scan, or countless other things. Getting the best 
visibility of traffic if it is determined that local segment access is 
not possible needs to be determined by isolating services that every 
system needs to achieve productivity such as DHCP, DNS, key routers, 
printers, mail...
There is the best way and then there are other ways. Few will take the 
best way, most will compromises. In every case threat management will be 
directly relative to the approach taken and the thought put into 
identification of key resources.
>                                 -- Renaud

---------------------------------------------------------------------------
---------------------------------------------------------------------------