Intrusion Detection Systems mailing list archives

Re: Real Traffic (was Re: BlackICE IDS)

From: jflowers () hiverworld com (John S Flowers)
Date: Tue, 07 Dec 1999 18:59:42 -0800



Are we to infer from this message that you also believe that having an
IDS on every desktop would be even more of a point of diminishing
returns?  I mean, if you're concerned about overload at the network
level, I can only imagine the trauma of alerts across a host level.

[Not a flame, by the way]

Lance Spitzner wrote:


FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
---------------------------------------------------------------------------
---
On Mon, 6 Dec 1999, Trevor Schroeder wrote:

It seems like a pretty obvious thing, but I don't recall seeing anything
on this list recently about it (which is not to say that it hasn't floated
by... ;), but has anybody used multiple NIDSs to provide higher
sensitivity with fewer false positives?


I believe a critical issue for NIDS is not only what they do, but where
you put them.  We all know we are being attacked, scanned, probed (well,
all of us except for management).  So,  putting a NID on the outside
of the firewall only shows us what we already know (and overwhelming us
with valid alerts).  I believe IDS systems should monitor crtical systems,
such as your financial database.  Yes, having a IDS system on every
network segment will help detect all the attacks, but overwhelm you
with data.

There is something to be said for simplicity.  I like to ask the client
what is the absolute worst thing that can happen to them if they are
compromised.  This gives me a start on which systems might be critical,
and where to place IDS systems.

I'm not saying having one single IDS system is the way to go.  But
having a NID on every single network segment may hit the point of
diminishing returns.

Let the flaming begin :)

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html


-- 
John S Flowers                   <jflowers () hiverworld com>
Chief Technology Officer         http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment

Current thread:

Re: Real Traffic (was Re: BlackICE IDS), (continued)
- - - Re: Real Traffic (was Re: BlackICE IDS) Trevor Schroeder (Dec 07)
    - Re: Real Traffic (was Re: BlackICE IDS) Stuart Staniford-Chen (Dec 07)
  - Re: Real Traffic (was Re: BlackICE IDS) Ron Gula (Dec 07)
    - Re: Real Traffic (was Re: BlackICE IDS) Misha (Dec 07)
    - RE: RE: Network Utilization discussion... Rouse, Kevin (Dec 07)
    - [Moderator FWD] Re: BlackICE IDS Lister, Justin (Dec 07)
    - Integrated Console Colin Haxton (Dec 08)
    - Re: [Moderator FWD] Re: BlackICE IDS Dug Song (Dec 08)
  - Re: Real Traffic (was Re: BlackICE IDS) Lance Spitzner (Dec 07)
    - Re: Real Traffic (was Re: BlackICE IDS) Trevor Schroeder (Dec 07)
    - Re: Real Traffic (was Re: BlackICE IDS) John S Flowers (Dec 07)
- Re: Real Traffic (was Re: BlackICE IDS) Dug Song (Dec 07)
- RealSecure Mailing List Lodin, Steven {IT 4~Indianapolis} (Dec 07)