IDS mailing list archives

Re: Network IDS

From: Andreas Krennmair <netnews () synflood at>
Date: Thu, 21 Aug 2003 16:53:49 +0200

* Barry Fitzgerald <bkfsec () sdf lonestar org> [gmane.comp.security.ids]:

 Andreas Krennmair wrote:


Then a NIDS is not the right thing for you. Network Intrusion Detection
is not about protecting systems.

 
 I disagree.  Yes, it would seem like something of a waste of resources 
 to protect a single server/system with an NIDS sensor.  But, if that 
 particular system or group of systems is mission critical, then a NIDS 
 is precisely what you need.  So, even in that situation, I can see 
 someone deploying a sensor to detect network traffic based attacks.


It can _detect_ the traffic, but it does NOT protect your system! As
soon as you detect an attack, it has already happened, and if it was
successful, your system is compromised. So, use secure software, since
you can't rely on your NIDS. Why have a NIDS that records all attacks
against a machine, when the machine is compromised after one of the
attacks?

 So yes, NIDS is absolutely about protecting systems!


You have to understand that detecting an attack does not protect your
network/system against this attack, since a NIDS sensor is totally
passive. And intrusion prevention systems are getting "funny" as soon as
you encounter false positives.

 For full system protection, he should be deploying a Host IDS on the 
 servers/systems he's defending... but an NIDS is a really good idea for 
 detecting attacks that happen over the line.  What if someone 
 compromises the system and kills the HIDS and deletes the logs in the 
 middle of the night?


Use sandboxing software, e.g. systrace. It works pretty well on a number
of Unix-like operating systems.

Regards,
Andreas Krennmair


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the worldÂs premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------

Current thread:

Re: Network IDS, (continued)
- Re: Network IDS Andreas Krennmair (Aug 21)
  - Re: Network IDS Barry Fitzgerald (Aug 21)
    - Re: Network IDS Steffen Kluge (Aug 25)
    - Re: Network IDS Sam f. Stover (Aug 25)
    - Re: Network IDS Barry Fitzgerald (Aug 25)
    - Re: Network IDS Andreas Krennmair (Aug 26)
    - Re: Network IDS Barry Fitzgerald (Aug 28)
    - Re: Network IDS Frank Knobbe (Aug 28)
    - Re: Network IDS Mark Teicher (Aug 28)
    - Re: Network IDS Frank Knobbe (Aug 28)
    - Re: Network IDS Andreas Krennmair (Aug 25)
    - Re: Network IDS Barry Fitzgerald (Aug 26)
- RE: Network IDS Fergus Brooks (Aug 21)
- RE: Network IDS Terry Ziemniak (Aug 21)
- RE: Network IDS Robert.Lupo (Aug 21)
  - Re: Network IDS Gary Flynn (Aug 21)
  - RE: Network IDS Steffen Kluge (Aug 25)
- Re: Network IDS José Joaquín (Aug 21)
- RE: Network IDS Zach Forsyth (Aug 25)
- RE: Network IDS Zach Forsyth (Aug 25)
  - Re: Network IDS Joel Snyder (Aug 26)

(Thread continues...)