IDS mailing list archives
Re: Network IDS
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Thu, 21 Aug 2003 10:42:51 -0400
Comments inline: Andreas Krennmair wrote:
Then a NIDS is not the right thing for you. Network Intrusion Detection is not about protecting systems.
I disagree. Yes, it would seem like something of a waste of resources to protect a single server/system with an NIDS sensor. But, if that particular system or group of systems is mission critical, then a NIDS is precisely what you need. So, even in that situation, I can see someone deploying a sensor to detect network traffic based attacks.
Now, the semantic argument that says that "NIDS is not about protecting systems" basically states that NIDS is about protecting networks. Factually, this is true - Host IDS is about protecting a *system* and NIDS is about detecting intrusions over the network. But never, ever, ever, ever forget that a network is composed of a group of systems.
I don't protect my network because I care about the condition of my cat5 cables or my switches (although, clearly, I do), I protect my network with NIDS sensors because I care about the systems on the other side of those cables.
So yes, NIDS is absolutely about protecting systems!
Put the servers into a demilitarized zone and turn off any network services that are running on the workstations/thin clients.
That's not even nearly enough protection.For full system protection, he should be deploying a Host IDS on the servers/systems he's defending... but an NIDS is a really good idea for detecting attacks that happen over the line. What if someone compromises the system and kills the HIDS and deletes the logs in the middle of the night?
Just placing the machine in the demilitarized zone and shutting down unneeded services is probably what he's already doing. Even just placing an HIDS on the system isn't enough for truly mission critical systems.
-Barry ---------------------------------------------------------------------------Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂs premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------
Current thread:
- Network IDS Duston Sickler (Aug 19)
- Re: Network IDS Andreas Krennmair (Aug 21)
- Re: Network IDS Barry Fitzgerald (Aug 21)
- Re: Network IDS Steffen Kluge (Aug 25)
- Re: Network IDS Sam f. Stover (Aug 25)
- Re: Network IDS Barry Fitzgerald (Aug 25)
- Re: Network IDS Andreas Krennmair (Aug 26)
- Re: Network IDS Barry Fitzgerald (Aug 28)
- Re: Network IDS Frank Knobbe (Aug 28)
- Re: Network IDS Mark Teicher (Aug 28)
- Re: Network IDS Frank Knobbe (Aug 28)
- Re: Network IDS Barry Fitzgerald (Aug 21)
- Re: Network IDS Andreas Krennmair (Aug 21)
- Re: Network IDS Andreas Krennmair (Aug 25)
- Re: Network IDS Barry Fitzgerald (Aug 26)