IDS mailing list archives
AW: Changes in IDS Companies?
From: detmar.liesen () lds nrw de
Date: Wed, 13 Nov 2002 08:21:16 +0100
Yeah, really a smart-ass response. >8) So I take it you have configured your NIPS to block all might-be attacks, right? Good luck to you ;) Okay, seriously: I did not say you shall not detect attacks any more. I said you shall only block well-known attacks. Maybe my statement was a little too simplistic and you are absolutely right that people should patch their systems in the first place. But consider the following situation: -An internet provider wants to provide central security services that include GIDS to all customers with leased lines. -The provider does not know the customer's infrastructure. How can he fine-tune the GIDS without knowledge of the infrastructure behind the GIDS? Ergo: He installs a baseline-signature set for blocking well-known attacks because he cannot rely on the customer having properly patched his systems and he cannot afford to accidentally block legit traffic either. All other signatures are passive, i.e. there are no blocking-rules installed for these signatures. For these signatures you could better use a classic NIDS for various reasons, e.g. performance (the less signatures are on the GIDS the lower is the latency). It is also a good idea to use a NIDS that applies another (complementary) technology for sake of security/redundancy. In short: Use a NIPS/GIDS for blocking malicious stuff that is well-known. Use a classic stealthNIDS with another technology for all other stuff. I hope my statements are more clear now? :) Greetings, Detmar -----Ursprüngliche Nachricht----- Von: Dominique Brezinski [mailto:dom () decru com] Gesendet: Dienstag, 12. November 2002 23:29 An: detmar.liesen () lds nrw de; focus-ids () securityfocus com Betreff: Re: Changes in IDS Companies? For a smart-ass response, see below.... ----- Original Message -----
From: <detmar.liesen () lds nrw de> To: <focus-ids () securityfocus com> Sent: Monday, November 11, 2002 11:40 PM Subject: AW: Changes in IDS Companies?
<snip>
I don't have enough practical experience to tell if the following idea is
good,
but I suggest using a GIDS as a protecting device with just the most
important
signatures that are knownt to reliably detect/block those attacks we fear
most:
-worms -trojans/backdoors -well-known exploits
I hate to state the obvious, but if we know enough about these threats to write a signature to detect them, then we know enough to re-configure our systems to be immune to them. Having a GIDS protect against such things just leads to a false sense of security.
Additionally, NIPS vendors should always maintain a list of those most
common
and most dangerous attacks that also gives information about known false-positives for these signatures.
Yeah, so we can patch or re-configure or systems to be immune to vulnerabilities and not use their products ;> On a good day signature-based NIDS cost organizations money to run for no actionable return....On a bad day they leave the organization feeling secure when they are not. Dom
Current thread:
- AW: Changes in IDS Companies? detmar . liesen (Nov 12)
- Re: Changes in IDS Companies? Dominique Brezinski (Nov 12)
- <Possible follow-ups>
- AW: Changes in IDS Companies? detmar . liesen (Nov 13)