Firewall Wizards mailing list archives
Re: IDS: some rambling
From: "Ivan Arce,CORE" <ivan () securenetworks com>
Date: Thu, 19 Feb 1998 10:55:28 -0700 (MST)
On Wed, 18 Feb 1998, Marcus J. Ranum wrote:
There are a couple basic questions I've always had about the goal of IDS, which led me to take the slightly different approach of building event recording and analysis engines. Mostly they stem from early experience building firewalls. My customers used to ask me "will it tell me when it's under attack??" Well, y'know, that sounds like a great idea! Until you think about it. I built firewalls that would detect certain known attacks and notify the administrator. Then I realized one day that it was just an amazingly stupid thing to do. Since I knew what the attack was, I knew that my firewall could resist it: so why should I BOTHER telling the customer?? By definition, an attack that you know you can resist is practically a non-event. I guess it's interesting but it's not VERY interesting. VERY interesting is an attack you cannot resist. The problem is -- how do you detect an attack you cannot resist?
well, I think your own comments might lead to an answer. attacks are usually not isolated events, if someone is trying to break into your network she (im using female attackers in the usual Ptaceksque style) will try different attacks one after another. If the first succeded and your firewall/ids didnt detected you are certainly out of luck, but if the first attack failed and your firewall/ids detected AND reported it, theres a good chance that a human being is drag into the game and can detect those things that a non-human security component cant. In that sense is that i consider an IDS some sort of 'early-warning' system. Its probably not how IDSes are being marketed, but thats a different story altogether. Post-mortem analysis, "forensics and ballistic", is surely a good step in minimizing future damage by reducing the lifespan between sucessful attacks and fix deployment but certain organizations just cant afford a 'post-mortem' analysis, they need the subject alive, figuring out how the subject got killed will help them but wont repair all the damage already done. -ivan ==============================[ CORE Seguridad de la Informacion S.A. ]======= Ivan Arce Gerencia de Tecnologia Email : ivan () core-sdi com Av. Santa Fe 2861 5to C TE : +54-1-821-1030 CP 1425 FAX : +54-1-821-1030 Buenos Aires, Argentina Mensajeria: +54-1-317-4157 ==============================================================================
Current thread:
- IDS: some rambling Marcus J. Ranum (Feb 18)
- Re: IDS: some rambling Ivan Arce,CORE (Feb 19)
- Re: IDS: some rambling George M. Jones (Feb 20)
- Re: IDS: some rambling Ivan Arce,CORE (Feb 19)