Firewall Wizards mailing list archives
RE: Intrusion Detection Systems, Best of breed?
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 24 Dec 2001 15:45:18 -0500 (EST)
On Mon, 24 Dec 2001, Marcus J. Ranum wrote:
R. DuFresne wrote:. These 'external' IDS systems are best put in place to monitor the effectivness of the perimeter devices, as a last call to arms should something weasle it;s way past the perimeter.I like to use the term "attack detection" to describe IDS technologies that are deployed outside of the security perimeter. "Intrusion detection" is when you've set your systems up where they will detect actual intrusions or illicit activities. After all, if it's outside the security perimeter it's in "anything goes" land and it doesn't make sense to treat all the weird traffic as red alert material. Another thing a lot of folks don't understand when they set their IDS up outside the firewall is that they're still only getting a partial view of the universe of attacks being launched against them. Because of the presence of the firewall (hopefully, anyhow!!) whole types of potential attacks will never be recorded: is that SYN packet aimed at an internal HTTP server an attack, or a probe, or a legitimate query that went astray due to a bad link? You'll never know because the firewall blocks that traffic at the SYN packet and never lets it develop further. I'm guessing this issue will be addressed in the future by firewalls that redirect denied traffic to honeynet systems that interact with the Bad Guys and allow the IDS capability to analyze more fully developed attacks.
A recent SANS newsletter posted this article in the floods that admins and
security folks have to contend with as referencing IDS systems and
placements in general.
SANS NewsBites Vol. 3 Num. 51 19 Dec 2001
--14 December 2001 Intrusion Detection Swamps Users With False Alarms
IDS vendors concede that false alarms and redundant alerts are a
serious problem. Adding to the problem is the fact that companies
buy IDSs but fail to provide adequately trained personnel to monitor
the results.
http://www.theregister.co.uk/content/55/23420.html
<quote>
Part of the problem seems to be that business managers buy IDS systems
(often on the advice of auditors or consultants) without committing to
the people and resources needed to make the technology work, or having
a managed services firm maintain an installation.
The concern is that adopters of the technology will fail to maintain
it or simply leave it to gather dust as overworked admins get
bombarded with false alarms.
</quote>
We also hold that while companies tend to listen to the marketers in
placement stragedies and the most common placement of 'IDS" systems tends
to be on the perimeter, in "never-never-land" <we do like that term!>,
that these IDS systems not only get poor care and feeding, they tend to be
"noisy little beasts" that are tied into the paging and alerting systems
of the admins and security staff, leading over short periods of time to
little more then a nuisance. These exposed "attack detection" systems
really should have limited, of any, reach into the paging alerting systems
that tend to sound off alarms and set support staff into turmoil/reactive
mode. Placement is more then 50% of the key here, care and feeding the
other percentage.
And.... Since I've got you here... Happy holidays to all, from firewall-wizards! :) The list is now 4,274 readers (!!!) Average message volume is about 60%-75% spam (!!!) - this last week, for example, we got _12_ copies of the nigerian bank transfer scam sent at us. I guess we're going on 4 years, now? Anyhow, have a safe and joyous 2002!
And we'd also like to wish the list and Marcus a Joyous Holiday Season!
Marcus has done a great job with this list, especially considering his
many ventures and commitments within the security industry.
Thanks,
Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Intrusion Detection Systems, Best of breed?, (continued)
- RE: Intrusion Detection Systems, Best of breed? Lance Spitzner (Dec 27)
- RE: Intrusion Detection Systems, Best of breed? franks (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? Robin S. Socha (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 26)
- Re: Intrusion Detection Systems, - Honeypots? Lance Spitzner (Dec 27)
- Re: Intrusion Detection Systems, - Honeypots? R. DuFresne (Dec 28)
- Re: Intrusion Detection Systems, - Honeypots? Lance Spitzner (Dec 28)
- Message not available
- Re: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 24)
- RE: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 25)
- Re: Intrusion Detection Systems, Best of breed? Talisker (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? John Adams (Dec 26)