RE: BlackICE IDS

[broyds () home com (Bill Royds)]

        I have been investigating commercial IDS systems for several months. More and more I have come to the 
conclusion that you have to
create a network design that will allow IDS's to work well before installing the software.
        Forcing the IDS to listen on the main backbone with a huge amount of mainly legitimate traffic puts a lot of 
strain on the system
without necessarily increasing its accuracy. Putting it most closely to the assets one wants to protect and designing 
the network to
force traffic past the IDS before communicating with the asset will be much more productive.
        It is a little like the design of physical security systems and alarms. You do have a lock and guard on the 
front door (firewall).
You don't put the motion detector in the main lobby next to the door but nearest to the Rembrandt in the boardroom.
        When I studied graph theory in University, one of the most important concepts/theorems was based on the min 
cut-max flow principal.
One needs to involve network IDS at exactly those points in a network where the minimum bandwidth meets the maximum 
flow of packets
that one is interested in. By analysing cut points of your network and redesigning it to have choke points, one can get 
a much
better bang for your buck of intrusion detection.

-----Original Message-----
From: owner-ids () uow edu au [mailto:owner-ids () uow edu au]On Behalf Of
pingman
Sent: Monday, December 06, 1999 11:27
To: Greg Shipley; Robert Graham; Marcus J. Ranum
Cc: John S Flowers; ids () uow edu au
Subject: Re: IDS: BlackICE IDS

mjr and folks

i am in the midst of getting a multisegment ids system, and have read
through this thread.

as a customer, i must say i am confuse on which one to settle with now.

is it that all ids ain't ready at present.

i know it is all up to one's individual decision. nevertheless, any comments
from the experts?

cheers
al