Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: Adam Shostack <adam () homeport org>
Date: Tue, 17 Feb 1998 08:15:09 -0500 (EST)
tqbf () secnet com wrote: | > One of the major reasons why passive-listening ID systems have been getting | > so much hype is that they are being advertised as a way to detect attacks | > that may originate inside the network perimeter protected by the conventional | > firewall. In other words the claim is that they provide threat detection | Something worth remembering is that our results take a major bite out of | the claim that ID systems are useful against a skilled internal attacker. | Someone in your organization that wants to attack you without being | detected by an IDS will just forge two-way traffic and confuse the IDS | completely. This is the area where I see passive network IDS as being the | least useful. I think there is a place in stopping unskilled internal attackers. Some situations I've helped clean up involved an employee searching the various engines for 'hacker tools,' downloading a bunch, and using them. Given the damage that was caused there, I think there is value to detecting these things internally. As the tools are written to make the attacks you described easy*, then the IDS vendors must cope or die. A harder task than the firewall vendors have really, but then IDS was going to lose an awful lot when IPsec gets deployed... There are folks here who can break into most any network out there, given sufficient motivation. There are not that many of them. Blocking them is an excellent goal, because you're being proactive about security, and blocking threats before your boss reads about them in Network Week. But blocking the teaming masses of script kiddies and internal disgruntled employees is a worthwhile goal as well. * By easy, I mean a libstealth which replaces various socket calls before they reach libc for easy combination with other exploits. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection Marcus J. Ranum (Feb 14)
- Re: Important Comments re: INtrusion Detection Aaron Bawcom (Feb 15)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Bret Watson (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Rick Morrow (Feb 15)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 17)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 17)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
- Re: Important Comments re: INtrusion Detection Doug Hughes (Feb 18)