IDS mailing list archives
RE: SourceFire RNA
From: "Rob Shein" <shoten () starpower net>
Date: Tue, 2 Dec 2003 11:44:30 -0500
I wouldn't say "reactive security practices don't work." There's absolutely no way to cover all the bases in advance, and that's just how life is; you have to have a reactive capability to be secure. Relying entirely on reactive measures is a bad idea, but that's true of almost any aspect of security. To rely solely on proactivity is also insufficient, but that doesn't mean that being proactive is bad. The point here is for a system to learn about a network without 1, making itself apparent on the network, and 2, possibly disrupting the network with traffic that it generates. In very large environments, it is theoretically possible that one machine may remain quiet and be overlooked until it gets a hostile probe...but does that mean that the added protection given to the other thousand hosts is now worth nothing, just because Snort is reactive?
-----Original Message----- From: Renaud Deraison [mailto:deraison () nessus org] Sent: Tuesday, December 02, 2003 11:36 AM To: Rob Shein Cc: 'Lior Tal'; focus-ids () securityfocus com Subject: Re: SourceFire RNA On Tue, Dec 02, 2003 at 10:46:48AM -0500, Rob Shein wrote:The answer to this is simple. All machines make some kindof noise onthe network, from an IDS-centric view. If the machine doesn't have any interaction, ever, with anything, then it's not reallyimportantfrom the IDS point of view, because it can't be breached WITHOUT interaction. Even if the first traffic involving thatmachine is anattack or scan, at that point the machine becomes at leastas visibleto the IDS as it is to the attacker.Waiting for an attack is not necessarily a good strategy either - just think about all the worms that have been plaguing our last summer vacations these last few years. Reactive security practices simply don't work. If the host does not interact with the rest of the network, that does not make it more begign than any other one on the network - quite the contrary actually, as it suggests that it never downloaded any patch. -- Renaud
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- SourceFire RNA Lior Tal (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
- Re: SourceFire RNA Renaud Deraison (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
- Re: SourceFire RNA Renaud Deraison (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
- RE: SourceFire RNA Lior Tal (Dec 03)
- Re: SourceFire RNA Martin Roesch (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)
- Re: SourceFire RNA Jason (Dec 03)
- Re: SourceFire RNA Renaud Deraison (Dec 03)