Re: Intrusion Detection Systems, Best of breed?

["R. DuFresne" <dufresne () sysinfo com>]

On Wed, 26 Dec 2001, Talisker wrote:

> Ron
> I'd have to agree that security and system/network administration do not
> mix.  If you want defence in depth you need personnel who's sole
> responsibility is to security, and the upkeep of those tools.   But I'd hope
> that people monitoring this list are here because they do take security
> seriously.  All too often buyers will blame the tools rather than their own
> lack of resources.
> "An IDS is for life not just Christmas"

andy,

Agreed 100%.  Yet, the mix here in this list, and the gnat firewalls list
this list was derived from, and even the bugtraq list do not represent the
total population of system/network admin folks in play, nor even the full
total of security folks in the field.  Im betting these lists show a very
minor percentage of these peoples in play in the respecive fields
mentioned.  This leaves up with a great many folks and companies that do
not have the skilled assets available to install, maintain and or monitor
systems and networks in a secure fashoin, we represent a bare minimum,
which makes it far easier to understand why security in the IT industry is
so lacking.

Thanks,

Ron DuFresne


> take care
> -andy
> http://www.networkintrusion.co.uk
> ----- Original Message -----
> From: "R. DuFresne" <dufresne () sysinfo com>
> To: "Marcus J. Ranum" <mjr () nfr com>
> Cc: "Ofir Arkin" <ofir () sys-security com>; "'ROB SLAUGHTER'"
> <rslaughter () cpsts com>; <firewall-wizards () nfr com>
> Sent: Monday, December 24, 2001 8:45 PM
> Subject: RE: [fw-wiz] Intrusion Detection Systems, Best of breed?
>
>
> > On Mon, 24 Dec 2001, Marcus J. Ranum wrote:
> >
> > > R. DuFresne wrote:
> > > > .  These 'external' IDS systems are best put in place to monitor the
> > > > effectivness of the perimeter devices, as a last call to arms should
> > > > something weasle it;s way past the perimeter.
> > >
> > > I like to use the term "attack detection" to describe IDS technologies
> > > that are deployed outside of the security perimeter. "Intrusion
> detection"
> > > is when you've set your systems up where they will detect actual
> > > intrusions or illicit activities. After all, if it's outside the
> security
> > > perimeter
> > > it's in "anything goes" land and it doesn't make sense to treat all
> > > the weird traffic as red alert material.
> > >
> > > Another thing a lot of folks don't understand when they set their
> > > IDS up outside the firewall is that they're still only getting a partial
> > > view of the universe of attacks being launched against them.
> > > Because of the presence of the firewall (hopefully, anyhow!!)
> > > whole types of potential attacks will never be recorded: is that
> > > SYN packet aimed at an internal HTTP server an attack, or
> > > a probe, or a legitimate query that went astray due to a bad
> > > link? You'll never know because the firewall blocks that traffic
> > > at the SYN packet and never lets it develop further. I'm guessing
> > > this issue will be addressed in the future by firewalls that redirect
> > > denied traffic to honeynet systems that interact with the Bad Guys
> > > and allow the IDS capability to analyze more fully developed
> > > attacks.
> >
> > A recent SANS newsletter posted this article in the floods that admins and
> > security folks have to contend with as referencing IDS systems and
> > placements in general.
> >
> >                 SANS NewsBites Vol. 3 Num. 51 19 Dec 2001
> >
> >    --14 December 2001 Intrusion Detection Swamps Users With False Alarms
> >   IDS vendors concede that false alarms and redundant alerts are a
> >   serious problem. Adding to the problem is the fact that companies
> >   buy IDSs but fail to provide adequately trained personnel to monitor
> >   the results.
> >
> > http://www.theregister.co.uk/content/55/23420.html
> >
> > <quote>
> >
> >    Part of the problem seems to be that business managers buy IDS systems
> >    (often on the advice of auditors or consultants) without committing to
> >    the people and resources needed to make the technology work, or having
> >    a managed services firm maintain an installation.
> >    The concern is that adopters of the technology will fail to maintain
> >    it or simply leave it to gather dust as overworked admins get
> >    bombarded with false alarms.
> >
> > </quote>
> >
> > We also hold that while companies tend to listen to the marketers in
> > placement stragedies and the most common placement of 'IDS" systems tends
> > to be on the perimeter, in "never-never-land" <we do like that term!>,
> > that these IDS systems not only get poor care and feeding, they tend to be
> > "noisy little beasts" that are tied into the paging and alerting systems
> > of the admins and security staff, leading over short periods of time to
> > little more then a nuisance.  These exposed "attack detection" systems
> > really should have limited, of any, reach into the paging alerting systems
> > that tend to sound off alarms and set support staff into turmoil/reactive
> > mode.  Placement is more then 50% of the key here, care and feeding the
> > other percentage.
> >
> >
> > > And.... Since I've got you here...
> > > Happy holidays to all, from firewall-wizards! :) The list is now
> > > 4,274 readers (!!!)   Average message volume is about 60%-75%
> > > spam (!!!) - this last week, for example, we got _12_ copies of
> > > the nigerian bank transfer scam sent at us. I guess we're going on
> > > 4 years, now? Anyhow, have a safe and joyous 2002!
> >
> > And we'd also like to wish the list and Marcus a Joyous Holiday Season!
> >
> > Marcus has done a great job with this list, especially considering his
> > many ventures and commitments within the security industry.
> >
> > Thanks,
> >
> > Ron DuFresne
> > --
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >         admin & senior consultant:  sysinfo.com
> >                   http://sysinfo.com
> >
> > "Cutting the space budget really restores my faith in humanity.  It
> > eliminates dreams, goals, and ideals and lets us get straight to the
> > business of hate, debauchery, and self-annihilation."
> >                 -- Johnny Hart
> >
> > testing, only testing, and damn good at it too!
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () nfr com
> > http://list.nfr.com/mailman/listinfo/firewall-wizards

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  sysinfo.com
                  http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards