IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is IDS/IPS worthless?

From: Michael Stone <mstone () mathom us>
Date: Sat, 21 Feb 2004 10:40:54 -0500
On Fri, Feb 20, 2004 at 08:31:56AM -0800, Andrew Plato wrote:

What is happening here?  Anybody have any idea why there is a growing
"anti-IDS" attitude. 

Because they're very resource intensive with no clear benefit. You can
get by in most IT projects with someone who's barely competent and get
some kind of useful result. (E.g., the network admin managed to plug
cables into a switch and pass traffic.) The best a barely competent IDS
admin with an out-of-the-box IDS config can say is "look, we're being
attacked". And the bottom line is that, all claims of "characterizing
network activity" aside, nobody really cares to know that their network
is being attacked. Even without an IDS I can tell you that your network
is being attacked *right now*. The thing I really want to know is
whether any of the attacks are succeeding--and that's something that
takes a lot more time, skill, and product configuration. IDS vendors
have shot themselves in the foot by creating a lot of signatures that do
nothing more than go "ding!" when they see an attack packet--on a
reasonably busy network all you get is a lot of useless "ding!"s. 
Mike Stone

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. 

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: