Firewall Wizards mailing list archives
Re: Intrusion Detection Systems, Best of breed?
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 26 Dec 2001 12:58:45 -0500 (EST)
On Wed, 26 Dec 2001, Talisker wrote:
Ron I'd have to agree that security and system/network administration do not mix. If you want defence in depth you need personnel who's sole responsibility is to security, and the upkeep of those tools. But I'd hope that people monitoring this list are here because they do take security seriously. All too often buyers will blame the tools rather than their own lack of resources. "An IDS is for life not just Christmas"
andy, Agreed 100%. Yet, the mix here in this list, and the gnat firewalls list this list was derived from, and even the bugtraq list do not represent the total population of system/network admin folks in play, nor even the full total of security folks in the field. Im betting these lists show a very minor percentage of these peoples in play in the respecive fields mentioned. This leaves up with a great many folks and companies that do not have the skilled assets available to install, maintain and or monitor systems and networks in a secure fashoin, we represent a bare minimum, which makes it far easier to understand why security in the IT industry is so lacking. Thanks, Ron DuFresne
take care -andy http://www.networkintrusion.co.uk ----- Original Message ----- From: "R. DuFresne" <dufresne () sysinfo com> To: "Marcus J. Ranum" <mjr () nfr com> Cc: "Ofir Arkin" <ofir () sys-security com>; "'ROB SLAUGHTER'" <rslaughter () cpsts com>; <firewall-wizards () nfr com> Sent: Monday, December 24, 2001 8:45 PM Subject: RE: [fw-wiz] Intrusion Detection Systems, Best of breed?On Mon, 24 Dec 2001, Marcus J. Ranum wrote:R. DuFresne wrote:. These 'external' IDS systems are best put in place to monitor the effectivness of the perimeter devices, as a last call to arms should something weasle it;s way past the perimeter.I like to use the term "attack detection" to describe IDS technologies that are deployed outside of the security perimeter. "Intrusiondetection"is when you've set your systems up where they will detect actual intrusions or illicit activities. After all, if it's outside thesecurityperimeter it's in "anything goes" land and it doesn't make sense to treat all the weird traffic as red alert material. Another thing a lot of folks don't understand when they set their IDS up outside the firewall is that they're still only getting a partial view of the universe of attacks being launched against them. Because of the presence of the firewall (hopefully, anyhow!!) whole types of potential attacks will never be recorded: is that SYN packet aimed at an internal HTTP server an attack, or a probe, or a legitimate query that went astray due to a bad link? You'll never know because the firewall blocks that traffic at the SYN packet and never lets it develop further. I'm guessing this issue will be addressed in the future by firewalls that redirect denied traffic to honeynet systems that interact with the Bad Guys and allow the IDS capability to analyze more fully developed attacks.A recent SANS newsletter posted this article in the floods that admins and security folks have to contend with as referencing IDS systems and placements in general. SANS NewsBites Vol. 3 Num. 51 19 Dec 2001 --14 December 2001 Intrusion Detection Swamps Users With False Alarms IDS vendors concede that false alarms and redundant alerts are a serious problem. Adding to the problem is the fact that companies buy IDSs but fail to provide adequately trained personnel to monitor the results. http://www.theregister.co.uk/content/55/23420.html <quote> Part of the problem seems to be that business managers buy IDS systems (often on the advice of auditors or consultants) without committing to the people and resources needed to make the technology work, or having a managed services firm maintain an installation. The concern is that adopters of the technology will fail to maintain it or simply leave it to gather dust as overworked admins get bombarded with false alarms. </quote> We also hold that while companies tend to listen to the marketers in placement stragedies and the most common placement of 'IDS" systems tends to be on the perimeter, in "never-never-land" <we do like that term!>, that these IDS systems not only get poor care and feeding, they tend to be "noisy little beasts" that are tied into the paging and alerting systems of the admins and security staff, leading over short periods of time to little more then a nuisance. These exposed "attack detection" systems really should have limited, of any, reach into the paging alerting systems that tend to sound off alarms and set support staff into turmoil/reactive mode. Placement is more then 50% of the key here, care and feeding the other percentage.And.... Since I've got you here... Happy holidays to all, from firewall-wizards! :) The list is now 4,274 readers (!!!) Average message volume is about 60%-75% spam (!!!) - this last week, for example, we got _12_ copies of the nigerian bank transfer scam sent at us. I guess we're going on 4 years, now? Anyhow, have a safe and joyous 2002!And we'd also like to wish the list and Marcus a Joyous Holiday Season! Marcus has done a great job with this list, especially considering his many ventures and commitments within the security industry. Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Intrusion Detection Systems, Best of breed?, (continued)
- Re: Intrusion Detection Systems, Best of breed? Robin S. Socha (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 26)
- Re: Intrusion Detection Systems, - Honeypots? Lance Spitzner (Dec 27)
- Re: Intrusion Detection Systems, - Honeypots? R. DuFresne (Dec 28)
- Re: Intrusion Detection Systems, - Honeypots? Lance Spitzner (Dec 28)
- Message not available
- Re: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 24)
- RE: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 25)
- Re: Intrusion Detection Systems, Best of breed? Talisker (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? John Adams (Dec 26)