Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Network hardware IPS

Re: Network hardware IPS

From: Stefano Zanero <stefano.zanero_at_ieee.org>
Date: Fri, 10 Oct 2003 10:16:57 +0200

> I agree completely - I never implied I could always catch everything.

You could - providing that you accept a correspondingly high rate of false
positives :)

> And as for the IDS-evasion paper comment, we've read it too, and done as
> much as possible to NOT be evaded.

Which means that you can still be evaded ;-) A total defense against evasion
and insertion implies reconstructing network topology and decoding it. By
the way, it also implies to know what is the behaviour of each TCP/IP stack
on each host, to understand which packets get read and which get discarded.

Sounds impossible ? That's right.

> What I want to see is a new paper, less than 5 years old,

I will suggest then that you cease to study the RFCs that define IPv4 - they
are a lot older than this !

Seriously: as long as no one suggests a complete answer to that problem, I
am going to raise it every time someone claims that you can get arbitrarily
good DR without accepting FP. You simply cannot. And if you can - we would
be glad to hear how :)

> And we're always looking to reduce false positives, while
> maximize detection rates. Which is why I was so frustrated at Stephano
> for implying that the two values are inseparable.

You are implying it yourself, don't you see ? If they were separable, you
would try to annihilate false positive, AND to achieve 100% detection rate.

Instead, now you are correctly stating your problem as a maximization
problem (operational research, anyone ?) involving two variables that are
strictly coupled.

Stefano Zanero

---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Received on Oct 15 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos