Intrusion Detection Systems mailing list archives
Re: BlackICE IDS (More comments ...)
From: rgula () network-defense com (Ron Gula)
Date: Sun, 05 Dec 1999 06:43:20 -0800
Let me pose a logic problem to everyone: Does it make more sense to place one system on each network that can handle 100k packets/sec OR place one service on each desktop, where the desktops are each handling 100k packets a second and experiencing possible usability problems? My support staff would shoot me in my sleep if I put them through the headache of supporting Yet Another Desktop Application -- esp. one that can be handled at the network level.
I defiantly favor a dedicated system that can handle 100k/sec. I don't want any of my desktops or servers sniffing because that is a process that can be expensive to do. At the desktop, I am much more in favor of IDS products like Tripwire.
My suggestion was and -- for now -- is a Network IDS, preferably in the form of a dedicated IDA. I also believe that the IDS technology arena is so new that we're still fumbling around in the dark, looking for a light switch that will allow us to see the problem in front of us. If you don't believe me, please read the Greg Shipley IDS Review in Network Computing on Nov. 15th, where he all but says, "IDS technology is not ready for release." http://www.nwc.com/1023/1023f1.html
Hey - who is putting words in Greg's mouth now ;) ? My take on the article's overall IDS comments was that these tools were very useful, but not 100% perfect. And if anyone ever nails a packet based IDS perfectly, it still should be able to operate in concert for host IDS, application IDS, vulnerability scanners and firewalls.
Further, do you care to share your traffic file so we can all start talking around the same data? I for one would like to see how other technologies perform with the same set of traffic. Surely you, as one of the founders, don't mind sharing your data so we can all start comparing apples to apples. If anyone want's to look at a point of comparison, my company offers some standard tcpdump formatted logs from SANS NS'99s IDNET contest. They can be found at http://www.hiverworld.com/snortlogs -- although, there's a lot of really strange stuff in these logs, so YMMV.
This is a good point. We've been posting the logs we've captured from Defcon and several SANS conferences now as well. One of the criticisms we've seen is that we're posting what Dragon has collected and not the raw logs. Aside from the technical details of putting up 300MB tcpdump log files containing 10000 nmap scans of the same network, I think what Mr. Graham was talking about was a trace file that was sent *to* the IDS as compared with files captured by an IDS. Ron Gula Network Security Wizards
Current thread:
- BlackICE IDS Riley, Steven (Dec 03)
- <Possible follow-ups>
- Re: BlackICE IDS Marcus J. Ranum (Dec 03)
- Re: BlackICE IDS Robert Graham (Dec 03)
- Re: BlackICE IDS Ron Gula (Dec 04)
- Re: BlackICE IDS John S Flowers (Dec 03)
- Re: BlackICE IDS Robert Graham (Dec 04)
- Re: BlackICE IDS John S Flowers (Dec 04)
- Re: BlackICE IDS (More comments ...) Ron Gula (Dec 05)
- Re: BlackICE IDS Dug Song (Dec 04)
- BlackICE Defender w/ McAfee/NAI PGP Desktop Shawn A. Clifford (Dec 07)
- RE: BlackICE Defender w/ McAfee/NAI PGP Desktop Bill Royds (Dec 07)
- Hacking Exposed Wagner Brett (Dec 08)
- Re: Hacking Exposed Eric Budke (Dec 08)
- Nice IDS links Dano (Dec 08)
- Re: BlackICE Defender w/ McAfee/NAI PGP Desktop Eric Budke (Dec 08)
- Re: BlackICE Defender w/ McAfee/NAI PGP Desktop Shawn A. Clifford (Dec 09)
- Re: BlackICE IDS John S Flowers (Dec 04)
- new subscriber Dean J. Cox (Dec 08)