AW: Changes in IDS Companies?

[detmar.liesen () lds nrw de]

Yeah, really a smart-ass response. >8)

So I take it you have configured your NIPS to block all might-be attacks, right?

Good luck to you ;)

Okay, seriously:

I did not say you shall not detect attacks any more. 
I said you shall only block well-known attacks.

Maybe my statement was a little too simplistic and you are absolutely right that
people should
patch their systems in the first place. 

But consider the following situation:
-An internet provider wants to provide central security services that include
GIDS to all 
customers with leased lines. 
-The provider does not know the customer's infrastructure.

How can he fine-tune the GIDS without knowledge of the infrastructure behind the
GIDS?
Ergo: He installs a baseline-signature set for blocking well-known attacks
because he cannot 
rely on the customer having properly patched his systems and he cannot afford to
accidentally block legit traffic either.

All other signatures are passive, i.e. there are no blocking-rules installed for
these signatures.
For these signatures you could better use a classic NIDS for various reasons,
e.g. performance (the less signatures are on the GIDS the lower is the latency).
It is also a good idea to use a NIDS that applies another (complementary)
technology for sake of security/redundancy.

In short:
Use a NIPS/GIDS for blocking malicious stuff that is well-known. 
Use a classic stealthNIDS with another technology for all other stuff.

I hope my statements are more clear now? :)

Greetings,
Detmar

-----Ursprüngliche Nachricht-----
Von: Dominique Brezinski [mailto:dom () decru com]
Gesendet: Dienstag, 12. November 2002 23:29
An: detmar.liesen () lds nrw de; focus-ids () securityfocus com
Betreff: Re: Changes in IDS Companies?


For a smart-ass response, see below....

----- Original Message -----
> From: <detmar.liesen () lds nrw de>
> To: <focus-ids () securityfocus com>
> Sent: Monday, November 11, 2002 11:40 PM
> Subject: AW: Changes in IDS Companies?


<snip>
> I don't have enough practical experience to tell if the following idea is
good,
> but I suggest using a GIDS as a protecting device with just the most
important
> signatures that are knownt to reliably detect/block those attacks we fear
most:
> -worms
> -trojans/backdoors
> -well-known exploits

I hate to state the obvious, but if we know enough about these threats to
write a signature to detect them, then we know enough to re-configure our
systems to be immune to them.  Having a GIDS protect against such things
just leads to a false sense of security.

> Additionally, NIPS vendors should always maintain a list of those most
common
> and most dangerous attacks that also gives information about known
> false-positives for these signatures.

Yeah, so we can patch or re-configure or systems to be immune to
vulnerabilities and not use their products ;>

On a good day signature-based NIDS cost organizations money to run for no
actionable return....On a bad day they leave the organization feeling secure
when they are not.

Dom