IDS mailing list archives
Re: Is IDS/IPS worthless?
From: Michael Stone <mstone () mathom us>
Date: Sat, 21 Feb 2004 10:40:54 -0500
On Fri, Feb 20, 2004 at 08:31:56AM -0800, Andrew Plato wrote:
What is happening here? Anybody have any idea why there is a growing"anti-IDS" attitude.
Because they're very resource intensive with no clear benefit. You can get by in most IT projects with someone who's barely competent and get some kind of useful result. (E.g., the network admin managed to plug cables into a switch and pass traffic.) The best a barely competent IDS admin with an out-of-the-box IDS config can say is "look, we're being attacked". And the bottom line is that, all claims of "characterizing network activity" aside, nobody really cares to know that their network is being attacked. Even without an IDS I can tell you that your network is being attacked *right now*. The thing I really want to know is whether any of the attacks are succeeding--and that's something that takes a lot more time, skill, and product configuration. IDS vendors have shot themselves in the foot by creating a lot of signatures that do nothing more than go "ding!" when they see an attack packet--on areasonably busy network all you get is a lot of useless "ding!"s.
Mike Stone --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus ProtectionProtect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 ---------------------------------------------------------------------------
Current thread:
- Is IDS/IPS worthless? Andrew Plato (Feb 20)
- Re: Is IDS/IPS worthless? Mike Lyman (Feb 23)
- RE: Is IDS/IPS worthless? Fergus Brooks (Feb 23)
- Re: Is IDS/IPS worthless? Stefano Zanero (Feb 26)
- Re: Is IDS/IPS worthless? Josh Tolley (Feb 23)
- Re: Is IDS/IPS worthless? Konrad Rieck (Feb 23)
- RE: Is IDS/IPS worthless? Brian Taylor (Feb 23)
- RE: Is IDS/IPS worthless? Fergus Brooks (Feb 23)
- RE: Is IDS/IPS worthless? Duston Sickler (Feb 24)
- RE: Is IDS/IPS worthless? Fergus Brooks (Feb 23)
- RE: Is IDS/IPS worthless? Omar Herrera (Feb 23)
- Re: Is IDS/IPS worthless? Michael Stone (Feb 23)
- Re: Is IDS/IPS worthless? Andy Cuff (Feb 23)
- Re: Is IDS/IPS worthless? Mike Hoskins (Feb 23)
- Re: Is IDS/IPS worthless? Olaf Gellert (Feb 23)
- Re: Is IDS/IPS worthless? SecurIT Informatique Inc. (Feb 23)
- Re: Is IDS/IPS worthless? Olaf Gellert (Feb 23)
- Re: Is IDS/IPS worthless? SecurIT Informatique Inc. (Feb 23)
- Re: Is IDS/IPS worthless? Xiaoyong Wu (Feb 24)
- Re: Is IDS/IPS worthless? Michael Stone (Feb 25)
- Re: Is IDS/IPS worthless? SecurIT Informatique Inc. (Feb 23)
- Re: Is IDS/IPS worthless? Mike Lyman (Feb 23)
- Re: Is IDS/IPS worthless? Mike Hoskins (Feb 23)