RE: Intrusion Detection Systems, Best of breed?

["Marcus J. Ranum" <mjr () nfr com>]

R. DuFresne wrote:
> .  These 'external' IDS systems are best put in place to monitor the
> effectivness of the perimeter devices, as a last call to arms should
> something weasle it;s way past the perimeter.

I like to use the term "attack detection" to describe IDS technologies
that are deployed outside of the security perimeter. "Intrusion detection"
is when you've set your systems up where they will detect actual
intrusions or illicit activities. After all, if it's outside the security 
perimeter
it's in "anything goes" land and it doesn't make sense to treat all
the weird traffic as red alert material.

Another thing a lot of folks don't understand when they set their
IDS up outside the firewall is that they're still only getting a partial
view of the universe of attacks being launched against them.
Because of the presence of the firewall (hopefully, anyhow!!)
whole types of potential attacks will never be recorded: is that
SYN packet aimed at an internal HTTP server an attack, or
a probe, or a legitimate query that went astray due to a bad
link? You'll never know because the firewall blocks that traffic
at the SYN packet and never lets it develop further. I'm guessing
this issue will be addressed in the future by firewalls that redirect
denied traffic to honeynet systems that interact with the Bad Guys
and allow the IDS capability to analyze more fully developed
attacks.

And.... Since I've got you here...
Happy holidays to all, from firewall-wizards! :) The list is now
4,274 readers (!!!)   Average message volume is about 60%-75%
spam (!!!) - this last week, for example, we got _12_ copies of
the nigerian bank transfer scam sent at us. I guess we're going on
4 years, now? Anyhow, have a safe and joyous 2002!

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards