IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rather funny; looks like page defacement to me

From: <broyds () rogers com>
Date: Fri, 13 Jun 2003 15:48:16 -0400
In general, they are perfectly correct.
Most IDS installations are very expensive packet sniffers because most installations know so little about their 
enterprise network that they are unable to tune it in any meaningful way or design and place the sensors to monitor 
meaningful traffic.
   I am not saying the IDS are always useless, but they are most useful as part of a well designed network that 
partitions traffic so that there is a good baseline understanding of what traffic should appear on each segment. 
   Interestingly, they denigrate Intrusion Prevention Systems and hail firewalls, when an IPS is really a firewall with 
dynamically generated rule set. Most of use would agree that an internal office network requires a firewall between it 
and the Internet. The firewall normally only has a static rule set that basically only guarantees that TCP virtual 
circuits have correct TCP semantics and , for application gateways, that the traffic follows the protocol RFC.  Most 
attacks these days are not at the layer 2/layer 3 level guarded by a firewall, but at layer 7 or above, using the fact 
that Application protocols like HTTP, FTP, SMTP etc. have enough holes in them that a perfectly standards conforming 
stream can be used to attack a host at the end of the stream.
  Most IDS are still installed by people who don't even understand TP/IP, let alone HTTP, or the proprietary stuff 
coming from Real Networks or Microsoft. How are they going to properly tune an IDS to avoid wasting a lot of time and 
effort on false positives or, conversely, ignoring everything so the IDS has no teeth. 
  So most IDS systems are a waste of money. They may be useful if they are installed by a MSSP who actually understands 
security, but not by the average sysadmin handed another box and told to install the IDS because the auditors say we 
need one.



From: Anton Chuvakin <anton () chuvakin org>
Date: 2003/06/13 Fri AM 11:29:51 EDT
To: focus-ids () securityfocus com
Subject: Rather funny; looks like page defacement to me

All,

This link posted on the snort site. I figured I'd send it to the list,
since its a fascinating read.

http://www.gartner.com/5_about/press_releases/pr11june2003c.jsp

My first impression was that it is a page defacement, so outrageous some
claims are. For instance, did you know that IDS actually _cause_ incident
response to happen? :-) Or this gem : "Money Slated for Intrusion
Detection Should Be Invested in Firewalls"?

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCI*
     http://www.chuvakin.org
   http://www.info-secure.org


-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------






-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: