IDS mailing list archives
Re: Rather funny; looks like page defacement to me
From: <broyds () rogers com>
Date: Fri, 13 Jun 2003 15:48:16 -0400
In general, they are perfectly correct. Most IDS installations are very expensive packet sniffers because most installations know so little about their enterprise network that they are unable to tune it in any meaningful way or design and place the sensors to monitor meaningful traffic. I am not saying the IDS are always useless, but they are most useful as part of a well designed network that partitions traffic so that there is a good baseline understanding of what traffic should appear on each segment. Interestingly, they denigrate Intrusion Prevention Systems and hail firewalls, when an IPS is really a firewall with dynamically generated rule set. Most of use would agree that an internal office network requires a firewall between it and the Internet. The firewall normally only has a static rule set that basically only guarantees that TCP virtual circuits have correct TCP semantics and , for application gateways, that the traffic follows the protocol RFC. Most attacks these days are not at the layer 2/layer 3 level guarded by a firewall, but at layer 7 or above, using the fact that Application protocols like HTTP, FTP, SMTP etc. have enough holes in them that a perfectly standards conforming stream can be used to attack a host at the end of the stream. Most IDS are still installed by people who don't even understand TP/IP, let alone HTTP, or the proprietary stuff coming from Real Networks or Microsoft. How are they going to properly tune an IDS to avoid wasting a lot of time and effort on false positives or, conversely, ignoring everything so the IDS has no teeth. So most IDS systems are a waste of money. They may be useful if they are installed by a MSSP who actually understands security, but not by the average sysadmin handed another box and told to install the IDS because the auditors say we need one.
From: Anton Chuvakin <anton () chuvakin org> Date: 2003/06/13 Fri AM 11:29:51 EDT To: focus-ids () securityfocus com Subject: Rather funny; looks like page defacement to me All, This link posted on the snort site. I figured I'd send it to the list, since its a fascinating read. http://www.gartner.com/5_about/press_releases/pr11june2003c.jsp My first impression was that it is a page defacement, so outrageous some claims are. For instance, did you know that IDS actually _cause_ incident response to happen? :-) Or this gem : "Money Slated for Intrusion Detection Should Be Invested in Firewalls"? Best, -- Anton A. Chuvakin, Ph.D., GCI* http://www.chuvakin.org http://www.info-secure.org ------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Rather funny; looks like page defacement to me Anton Chuvakin (Jun 13)
- Re: Rather funny; looks like page defacement to me adam (Jun 14)
- Re: [security-elvandar] Re: Rather funny; looks like page defacement to me Remko Lodder (Jun 18)
- Re: [security-elvandar] Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 18)
- Re: [security-elvandar] Re: Rather funny; looks like page defacement to me Remko Lodder (Jun 18)
- Re: Rather funny; looks like page defacement to me Jerry M. Howell II (Jun 14)
- Re: Rather funny; looks like page defacement to me Michael Sierchio (Jun 17)
- Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 17)
- Re: Rather funny; looks like page defacement to me George W. Capehart (Jun 17)
- Gartner comments (was Re: Rather funny; looks like page defacement to me) Randy Taylor (Jun 17)
- <Possible follow-ups>
- Re: Rather funny; looks like page defacement to me broyds (Jun 14)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Mike Lyman (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Jim Butterworth (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Angel Rivera (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Mike Lyman (Jun 17)
- RE: Rather funny; looks like page defacement to me Roger A. Grimes (Jun 17)
- Re: Rather funny; looks like page defacement to me Bill Royds (Jun 17)
- RE: Rather funny; looks like page defacement to me Roger A. Grimes (Jun 17)
- Re: Rather funny; looks like page defacement to me adam (Jun 14)
- Re: Rather funny; looks like page defacement to me Callan K L Tham (Jun 17)
- Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 17)
- Re: Rather funny; looks like page defacement to me Bill Royds (Jun 18)
- Re: Rather funny; looks like page defacement to me Callan K L Tham (Jun 18)