IDS mailing list archives

RE: SourceFire RNA

From: "Rob Shein" <shoten () starpower net>
Date: Tue, 2 Dec 2003 11:44:30 -0500

I wouldn't say "reactive security practices don't work."  There's absolutely
no way to cover all the bases in advance, and that's just how life is; you
have to have a reactive capability to be secure.  Relying entirely on
reactive measures is a bad idea, but that's true of almost any aspect of
security.  To rely solely on proactivity is also insufficient, but that
doesn't mean that being proactive is bad.  The point here is for a system to
learn about a network without 1, making itself apparent on the network, and
2, possibly disrupting the network with traffic that it generates.  In very
large environments, it is theoretically possible that one machine may remain
quiet and be overlooked until it gets a hostile probe...but does that mean
that the added protection given to the other thousand hosts is now worth
nothing, just because Snort is reactive?

-----Original Message-----
From: Renaud Deraison [mailto:deraison () nessus org] 
Sent: Tuesday, December 02, 2003 11:36 AM
To: Rob Shein
Cc: 'Lior Tal'; focus-ids () securityfocus com
Subject: Re: SourceFire RNA


On Tue, Dec 02, 2003 at 10:46:48AM -0500, Rob Shein wrote:

The answer to this is simple.  All machines make some kind

of noise on

the network, from an IDS-centric view.  If the machine doesn't have 
any interaction, ever, with anything, then it's not really

important

from the IDS point of view, because it can't be breached WITHOUT 
interaction.  Even if the first traffic involving that

machine is an

attack or scan, at that point the machine becomes at least

as visible

to the IDS as it is to the attacker.


Waiting for an attack is not necessarily a good strategy 
either - just think about all the worms that have been 
plaguing our last summer vacations these last few years.

Reactive security practices simply don't work. If the host 
does not interact with the rest of the network, that does not 
make it more begign than any other one on the network - quite 
the contrary actually, as it suggests that it never 
downloaded any patch.


                              -- Renaud



---------------------------------------------------------------------------
---------------------------------------------------------------------------

Current thread:

SourceFire RNA Lior Tal (Dec 02)
- RE: SourceFire RNA Rob Shein (Dec 02)
  - Re: SourceFire RNA Renaud Deraison (Dec 02)
    - RE: SourceFire RNA Rob Shein (Dec 02)
    - Re: SourceFire RNA Renaud Deraison (Dec 02)
    - RE: SourceFire RNA Rob Shein (Dec 02)
    - RE: SourceFire RNA Lior Tal (Dec 03)
    - Re: SourceFire RNA Martin Roesch (Dec 03)
    - Re: SourceFire RNA Jason (Dec 03)
    - Re: SourceFire RNA Renaud Deraison (Dec 03)
    - Re: SourceFire RNA Jason (Dec 03)
    - Re: SourceFire RNA Renaud Deraison (Dec 03)
    - Re: SourceFire RNA Jason (Dec 03)
    - Re: SourceFire RNA Renaud Deraison (Dec 03)

(Thread continues...)