IDS mailing list archives
Re: Changes in IDS Companies?
From: Aaron Turner <aturner () pobox com>
Date: Mon, 28 Oct 2002 18:07:30 -0800
On Mon, Oct 28, 2002 at 09:23:04AM -0500, Matt Harris wrote:
There's also the option of using a non-inline style IDS, but having it utilize an in-line device which should, theoretically, already be present on your network border to handle blocking of traffic (such as router ACL's, which is what Cisco's IDS does by default, or adding and managing temporary firewall rules, etc). This seems to work well, and since the actual IDS work is done on a different host than the network traffic passing, the actual performance hit is very limited in that you won't see more of a hit than you will if you were using ACL's or firewall rules anyways, which most security-concious folk are.
A number of problems with this: 1) Futzing with router ACL's or firewall policies via your IDS is not granular. They don't drop a specific connection (the attack) but rather all traffic on a given port for a client/server. This can have very ugly effects for legit traffic. 2) It's too late. The attack has already reached the target. Consider something like jill.c which exploits the IIS-ISAPI buffer overflow and opens a connection back to the attacker on another port and you'll quickly understand why this method of "protection" is more hype than reality. 3) Many attacks are internal. Most firewalls are at the border, hence there's nothing the firewall can do, unless you (re)deploy more firewalls. Note that TCP resets that some vendors claim as intrusion protection are even worse. Not only is it only effective against TCP, but you've got to get the reset inside the window. This sounds simple until you consider many attacks come from the internal employees on your high-speed LAN. -- Aaron Turner <aturner at pobox.com|synfin.net> http://synfin.net/aturner They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery.
Attachment:
_bin
Description:
Current thread:
- Re: Changes in IDS Companies?, (continued)
- Re: Changes in IDS Companies? Clint Byrum (Oct 17)
- Re: Changes in IDS Companies? Stephane Nasdrovisky (Oct 18)
- Re: Changes in IDS Companies? scottw (Oct 18)
- Re: Changes in IDS Companies? Clint Byrum (Oct 17)
- RE: Changes in IDS Companies? tcleary2 (Oct 17)
- FW: Changes in IDS Companies? Avi Chesla (Oct 22)
- Re: Changes in IDS Companies? Proxy Administrator (Oct 25)
- Re: Changes in IDS Companies? Aaron Turner (Oct 25)
- Re: Changes in IDS Companies? A.S.Rajendran (Oct 25)
- Re: Changes in IDS Companies? Aaron Turner (Oct 25)
- Re: Changes in IDS Companies? Matt Harris (Oct 28)
- Re: Changes in IDS Companies? Aaron Turner (Oct 28)
- Re: Changes in IDS Companies? Matt Harris (Oct 29)
- Re: Changes in IDS Companies? Aaron Turner (Oct 29)
- Re: Changes in IDS Companies? Matt Harris (Oct 31)
- Re: Changes in IDS Companies? J. Foobar (Oct 31)
- Re: Changes in IDS Companies? Martin Roesch (Oct 31)