IDS mailing list archives

Re: Usefulness of Network Intrusion Detection Systems

From: James Riden <j.riden () massey ac nz>
Date: Fri, 28 May 2004 13:16:20 +1200

Thomas <TheTom () UnixIsNot4Dummies ORG> writes:

Additionally companies do not care much about switches, routers
or web-servers. Sure they got bad PR if it is compromised or
turned off but there is no direct lost of money connected with it.


Apart from n hours of my time investigating and fixing the problem,
usually at overtime rates? Potential compromise of confidential data?
The cost of having staff sitting around while critical servers are
down?


No problem, the staff is already there and paid. :)


They security staff are paid the same no matter how much overtime they
do? I find at least half of incident response happens out-of-hours.

The IDS I run is an integral part of the detection and response to
network threats. Of course I do as much as I can about prevention, but
on a large network where everyone wants to be relatively free, you
will have compromises and attempted attacks; especially from worms
such as Blaster, Welchia, Sasser and Slammer.


You talk about "attempted attacks". Information about several hundered
unsuccessful attacks from a worm is no information just noise.


My IDS is in my internal network. I happen to care very much about
attempted attacks that come from the internal network, at whatever
layer of the OSI model.  Attempts are symptoms and I need to
understand the underlying problem as quickly as possible.

You're right in that I don't care about the attacks that get stopped
by the firewall, and I don't really monitor them either.

I should say we have a fairly open internal network being a University
and so I can't lock things down in the way that some corporates
do. That means more emphasis on detection and response rather than
prevention. 

The IDS has been incredibly useful in monitoring cracking and worm
activity on the internal network; and that has always been at the
application level. During the last worm incident, it was also
attempting to block and disinfect problem hosts. At a very rough
guess, our IDS has already saved more money that it has cost to buy,
set-up and run.

-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.


---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

Usefulness of Network Intrusion Detection Systems Thomas (May 25)
- Re: Usefulness of Network Intrusion Detection Systems Gary Flynn (May 26)
  - Re: Usefulness of Network Intrusion Detection Systems Thomas (May 27)
- Re: Usefulness of Network Intrusion Detection Systems James Riden (May 26)
  - Re: Usefulness of Network Intrusion Detection Systems Thomas (May 27)
    - Re: Usefulness of Network Intrusion Detection Systems James Riden (May 28)
    - RE: Usefulness of Network Intrusion Detection Systems Rob Shein (May 28)
- Re: Usefulness of Network Intrusion Detection Systems James Fields (May 28)
  - Re: Usefulness of Network Intrusion Detection Systems Thomas (May 28)