Firewall Wizards mailing list archives

Re: The value of detecting neutralized threats. (was RE: IDS bla

From: Joe LoBianco <joe_lobianco () securecomputing com>
Date: Fri, 29 Jan 1999 00:25:19 -0500

In any case, I think the crux of the matter is that security involves applied
theory, subject to financial, personal, and political constraints.  Thus, a
generic consensus on what is an appropriate threshold for intrusion detection
is neither productive nor necessary.  As has been pointed out, it is even

more

pointless to attempt to divide organizations across arbitrary lines

(government,

military, corporate, educational), as the needs of users within large
organizations or sectors are disparate enough that a canned solution will

serve

no single entity well.  Obviously, you have to know the client well enough to
generate solutions that fit his needs and budgets;  it's part of the job.


I think Vik has hit the nail on the head.  Security professionals has been
preaching for some time that no one security solution will be suitable for
every organization, and for large organizations needs will vary within the
organization itself.  For this reason it would be silly to attempt to come
to an agreement on the *best* way to do IDS.

On another note...
Having listened to the debate on the value of external or DMZ based IDS, I
was struck by the fact that no one (to my knowledge) has pointed out the
traffic that the external IDS will not catch, but that the internal one
will.  Namely, attacks that originate from the internal, trusted network.
We all know that a large amount of unauthorized access comes from the
inside, so shouldn't this play a role?

If 50% (or whatever) of the attacks come from the inside, that makes the
external IDS useless in detecting half of the attempts.  Surely this must
play a role in deciding how much time/money is spent on external IDS, right?

Can someone comment on the relative difficulty of detecting internal
attacks?  I would imagine in some ways it must be more difficult (more
subtle break-ins), yet easier in other ways (tracking down the individual).

P.S. Maybe this discussion should be taken to another list?  I imagine
there are those who want to read about firewalls but *not* about IDS!



-----
Joe LoBianco, CISSP
Network Security Specialist
Secure Computing Corporation
joe_lobianco () securecomputing com
Phone:  +1.416.815.3038
Fax:    +1.416.815.3001

Current thread:

The value of detecting neutralized threats. (was RE: IDS blah blah) John Kozubik (Jan 26)
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) Dominique Brezinski (Jan 27)
  - Re: The value of detecting neutralized threats. (was RE: IDS bla Vik Bajaj (Jan 28)
    - Re: The value of detecting neutralized threats. (was RE: IDS bla Dominique Brezinski (Jan 28)
    - Re: The value of detecting neutralized threats. (was RE: IDS bla Joe LoBianco (Jan 29)
  - Re: The value of detecting neutralized threats. (was RE: IDS blah blah) David LeBlanc (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) David Gillett (Jan 28)