Firewall Wizards mailing list archives
Re: Intrusion Detection
From: Aleph One <aleph1 () dfw net>
Date: Tue, 14 Apr 1998 19:16:54 -0500 (CDT)
On Tue, 14 Apr 1998, Marcus J. Ranum wrote:
That's what I'm talking about. IDS' useful role is as a backstop against intrusions that have succeeded, not as frontal armor against known attacks which (most likely) won't succeed. Note that most of the current IDS products on the market are the "frontal armor" type.
Well maybe if you did decide to say, for example, email the ISP upstream of where the attacks are comming from you might stop them _before_ they break in.
I guess I'm doing a lousy job of explaining myself (chalk it up to fatigue) -- the place where IDS are valuable is as automated tools to do what Ches used to call "Tar Babies" -- traps and alarms that are scattered within the network, to call attention to the presence of unusual activity. This DOES NOT mean that they'll catch the attack based on the attack technique used!!
I understand what you mean and I agree. I guess my point is that unless you look at the traffic and follow up on it, even things that would normally not sucess in breaking in, then you will be in the dark. What the IDS allows you is to let you know when something interesting is happening. Then you can break out the network sniffer and take a look _for_your_self_ whats going on. You may find some interesting things. But again you are correct that this may take to much time for most people, thats why large companies (should) have a full time security staff.
mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Intrusion Detection shantanu bhattacharya (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection tqbf (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Paul D. Robertson (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Aleph One (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Aleph One (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 15)
- Re: Intrusion Detection M. Dodge Mumford (Apr 14)
- Re: Intrusion Detection emaiwald (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Aleph One (Apr 15)
- Re: Intrusion Detection emaiwald (Apr 17)
- Re: Intrusion Detection Mark Horn [ Net Ops ] (Apr 20)
- Re: Intrusion Detection Marcus J. Ranum (Apr 20)