IDS mailing list archives

Re: IDS is dead, etc

From: Scott Wimer <scottw () cylant com>
Date: Fri, 08 Aug 2003 11:15:25 -0700

Bennet,

Here's the quote about perfecty implemented firewalls that I think isgermain. Hopefully I'm not taking it out of context:

        "A perfectly implemented firewall allows no protocols
        through for which there are vulnerable implementations
        inside. That means it's impossible to implement a
        perfect firewall if you're going to allow Windows
        users to have internet access."

I may very well be putting words in your mouth (for which Iappologize) when I write about the silliness of expecting that anyprotocol will be implemented vulnerability free -- on any platform.


Bennett Todd wrote:

I've heard of one device that I can believe can alert on a
heretofore totally unknown exploit. Not all of 'em, of course, but
some. That's Mazu Networks's enforcer/profiler gizmos. I myself
wouldn't call 'em an IDS, I think they're something different, much
more valuable, and their IDS functionality is the smallest part of
what they're good at. To my tastes, their host classification and
"what-if" modelling are the really hot capabilities. If they were as
affordable as an IDS, then I think they'd help bolster your claim,
but they really are something else and different.

After a brief review of Mazu's Profiler and Enforcer docs, I'mcurrious how it handles attacks that come in via encrypted means.

I'm not convinced that a NIDS can be more than a network managementtool. With the caveat for things like floods of various types. Fromwhat I've seen, to detect and respond to all categories of exploits ina timely manner requires some sort of defense mechanism implemnted atthe host. This prejudice may come from the work we do on host basedIPS systems though. But, it's the only way I've seen to reliably stopexploits whether they are previously known or not.


Regards,
scottwimer
--
Scott M. Wimer, CTO                      Cylant
www.cylant.com                           121 Sweet Ave.
v. (208) 883-4892                        Suite 123
c. (208) 301-0370                        Moscow, ID 83843
There is no Security without Control.


---------------------------------------------------------------------------

Captus Networks - Integrated Intrusion Prevention and Traffic Shaping- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans

- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

Current thread:

RE: IDS is dead, etc, (continued)
- - RE: IDS is dead, etc Mark Tinberg (Aug 07)
- RE: IDS is dead, etc Tom Arseneault (Aug 07)
  - Re: IDS is dead, etc Sebastian Schneider (Aug 07)
  - Re: IDS is dead, etc Barry Fitzgerald (Aug 07)
    - Re: IDS is dead, etc Bennett Todd (Aug 08)
    - Re: IDS is dead, etc Sam f. Stover (Aug 11)
    - Re: IDS is dead, etc Scott Wimer (Aug 11)
    - Re: IDS is dead, etc Bennett Todd (Aug 11)
    - Re: IDS is dead, etc Scott Wimer (Aug 11)
    - Re: IDS is dead, etc Bennett Todd (Aug 11)
    - Re: IDS is dead, etc Scott Wimer (Aug 11)
    - Re: IDS is dead, etc Bennett Todd (Aug 11)
    - RE: IDS is dead, etc Security Conscious (Aug 11)
    - Re: IDS is dead, etc Jason Haar (Aug 11)
    - Re: IDS is dead, etc Frank Knobbe (Aug 11)
    - RE: IDS is dead, etc Bob Buel (Aug 11)
    - Re: IDS is dead, etc Barry Fitzgerald (Aug 11)
    - Belaboring the point of FPs Paul Schmehl (Aug 12)
    - Re: Belaboring the point of FPs Martin Roesch (Aug 13)
    - Message not available
    - Off-Topic: perfect firewall (was Re: IDS is dead, etc) Bennett Todd (Aug 11)
- RE: IDS is dead, etc JAVIER OTERO (Aug 12)

(Thread continues...)