IDS mailing list archives
Re: IDS is dead, etc
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 12 Aug 2003 13:17:50 +1200
On Fri, Aug 08, 2003 at 10:24:46AM -0700, Scott Wimer wrote:
I really like your description of NIDS as AV scanners for the network. That's classic. Although, some will argue that the more behavioral oriented NIDS have moved past that point. *shrug*
Heh - as they say, "there's nothing new under the Sun". AV scanners have had "behavioral" characteristics for years - some even run sandboxes in which to partially run the suspected file to see what it does. All this falls under "heuristics" technology.
invaluable tool for network managers. But, a NIDS is not the security "solution" that they are marketed as.
They have their place - but you have to think outside the square. The best use I have found for our IDS network is *not* on it's 1,000+ alerts a day that it generates, it's on the hand-written rules that basically say "here are the network things our DMZ hosts are allowed to do, PAGE WHEN THEY DO ANYTHING ELSE"... Can you say "Zero False Positives"? [wow: IDS marketing Nirvana] IDS's are good for showing senior management how "dangerous" the Internet is - so that you can get more funding to buy more IDS systems - err, wait-a-minute... ;-) Actually there's another use. Having a visible IDS within your IT Team allows you to show your network and server groups just _why_ they need to install patches/stay up-to-date with training,etc. It can be hard for Security staff to push better practices when all these groups feel is "more work for me". I forever hear people saying "oh, no-one would be interested in hacking *us*" - unfortunately it's all totally impersonal these day. Eveyone is a target. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
Current thread:
- Re: IDS is dead, etc, (continued)
- Re: IDS is dead, etc Barry Fitzgerald (Aug 07)
- Re: IDS is dead, etc Bennett Todd (Aug 08)
- Re: IDS is dead, etc Sam f. Stover (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- RE: IDS is dead, etc Security Conscious (Aug 11)
- Re: IDS is dead, etc Barry Fitzgerald (Aug 07)
- Re: IDS is dead, etc Jason Haar (Aug 11)
- Re: IDS is dead, etc Frank Knobbe (Aug 11)
- RE: IDS is dead, etc Bob Buel (Aug 11)
- Re: IDS is dead, etc Barry Fitzgerald (Aug 11)
- Belaboring the point of FPs Paul Schmehl (Aug 12)
- Re: Belaboring the point of FPs Martin Roesch (Aug 13)
- Message not available
- Off-Topic: perfect firewall (was Re: IDS is dead, etc) Bennett Todd (Aug 11)
- RE: IDS is dead, etc Omar Herrera (Aug 13)
- Re: IDS is dead, etc Jonathan Rickman (Aug 15)
- Re: IDS is dead, etc Paul Schmehl (Aug 19)