Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Real Traffic (was Re: BlackICE IDS)

From: lance () ksni net (Lance Spitzner)
Date: Tue, 7 Dec 1999 13:17:04 -0600 (CST)


On Mon, 6 Dec 1999, Trevor Schroeder wrote:


It seems like a pretty obvious thing, but I don't recall seeing anything
on this list recently about it (which is not to say that it hasn't floated
by... ;), but has anybody used multiple NIDSs to provide higher
sensitivity with fewer false positives?


I believe a critical issue for NIDS is not only what they do, but where
you put them.  We all know we are being attacked, scanned, probed (well,
all of us except for management).  So,  putting a NID on the outside
of the firewall only shows us what we already know (and overwhelming us
with valid alerts).  I believe IDS systems should monitor crtical systems,
such as your financial database.  Yes, having a IDS system on every
network segment will help detect all the attacks, but overwhelm you
with data.

There is something to be said for simplicity.  I like to ask the client
what is the absolute worst thing that can happen to them if they are
compromised.  This gives me a start on which systems might be critical,
and where to place IDS systems.

I'm not saying having one single IDS system is the way to go.  But
having a NID on every single network segment may hit the point of
diminishing returns.

Let the flaming begin :)

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Previous By Date Next
Previous By Thread Next

Current thread: