IDS mailing list archives
Re: IDS is dead, etc
From: Scott Wimer <scottw () cylant com>
Date: Fri, 08 Aug 2003 09:37:24 -0700
The perfect firewall is a thick chunk of brie with cat-5 cables jammed into it.
The assumption that human beings can design, write, and install software without error is WRONG. Human beings make mistakes. There is zero emperical evidence to support the idea that complex software will ever be free of vulnerabilities. zip. nada. none. zilch.
Proposing that networks can be secured by not using vulnerability free software is tantamount to proposing we pursue perpetual motion machines to solve the environmental problems caused by petroleum use.
Unfortunately, this silly notion has been the mantra of the security industry for so long, that people are starting to believe it. What a shame.
Will somebody please point me to an error free human endeavor? Joy, scottwimer Bennett Todd wrote: [ SNIP ]
Understandable. I really shouldn't have included that remark; or else I should have expanded on it. I didn't say "properly configured firewall", I said "really perfectly implemented firewall", and I meant something different by that, although I neglected to explain. A perfectly implemented firewall allows no protocols through for which there are vulnerable implementations inside. That means it's impossible to implement a perfect firewall if you're going to allow Windows users to have internet access. You can come moderately close, with a hideous amount of work, but you'll still be very exposed, and an IDS will be critical reinforcement of your flawed security. But given suitable systems configuration, it is possbile to have a perfect firewall, and if you do then an IDS is just an educational tool, and would probably be most useful in concert with a honeypot.
-- Scott M. Wimer, CTO Cylant www.cylant.com 121 Sweet Ave. v. (208) 883-4892 Suite 123 c. (208) 301-0370 Moscow, ID 83843 There is no Security without Control. ---------------------------------------------------------------------------Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
Current thread:
- Re: IDS is dead, etc, (continued)
- Re: IDS is dead, etc Bennett Todd (Aug 06)
- Re: IDS is dead, etc maz (Aug 07)
- Re: IDS is dead, etc M. Dodge Mumford (Aug 07)
- RE: IDS is dead, etc Tom Arseneault (Aug 06)
- RE: IDS is dead, etc Mark Tinberg (Aug 07)
- RE: IDS is dead, etc Tom Arseneault (Aug 07)
- Re: IDS is dead, etc Sebastian Schneider (Aug 07)
- Re: IDS is dead, etc Barry Fitzgerald (Aug 07)
- Re: IDS is dead, etc Bennett Todd (Aug 08)
- Re: IDS is dead, etc Sam f. Stover (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- RE: IDS is dead, etc Security Conscious (Aug 11)
- Re: IDS is dead, etc Jason Haar (Aug 11)
- Re: IDS is dead, etc Frank Knobbe (Aug 11)
- RE: IDS is dead, etc Bob Buel (Aug 11)
- Re: IDS is dead, etc Barry Fitzgerald (Aug 11)