RE: Top-down vs. bottom up (IDS) management

[Gary Crumrine <gcrum () us-state gov>]

Finally, someone was able to formulate an educated rational response that 
was not based on opinions, marketing hype, product positioning etc.  I have 
to admit, that I have probably been the most vocal of the pro IDS crowd, 
and I would like to take this time to apologize to Marcus for being a 
little too vocal in my opinions.

IDS systems, that exist today, for the most part do exactly what William is 
talking about.  Although some do better jobs than others, I have not seen a 
single product that combines all the good attributes together into one 
comprehensive tool.  I guess we can hope, and look for someone to take the 
lead on this.

One point that was made prior, is that IDS technology as we know it today, 
is not the end all answer to everyone's prayers.  Just like one firewall is 
not the perfect solution in all cases.  Otherwise, all we would have is one 
black box, plug and play device.  Maybe someday, but not now.  I have not 
heard anyone say that they are 100 percent safe, although many people that 
are critical of their usefulness would like you to think so.  Of course, 
firewall vendors do not make that claim either, for obvious liability 
issues.

The thing I find useful about them is that they allow me to turn my 
attention elsewhere, until something like an alarm gets my attention. 
 Every one of these things I have seen, has been able to adjust thresholds, 
so I can cut down on the false alarms.  Just like firewalls, it takes some 
time working with the product to be able to fully understand the technology 
and quirks.  For this reason I do not place a lot a faith in the so called 
testing and reports that have been done recently.  Not to criticize the 
report, the technical expertise of the testers, or the methodology used, 
but mostly because I do not think we all understand the usefulness fully, 
and I think the real measure of usefulness is yet to be determined.

I use tools to accomplish many things.  I see an IDS much like COPS, 
TRIPWIRE, ISS, REAL SECURE and others.  They are all tools to help me do my 
job.  An IDS is the same thing.  A tool to help me do my job.

I have read the humorous ditty 100 ways to beat your IDS or something like 
that.  Sure, if an attacker knows you are running a particular IDS, it may 
give him a bit of an edge, but I  think just like knowing which OS your are 
using, or knowing what version of sendmail, or other such juicy targets, it 
helps them know where to start.  But as I understand IDS, it usually is in 
lurker mode, and may not be evident.  Therefore, I do not think the use of 
an IDS will significantly add to your zone of vulnerability.  It makes for 
good reading, but in practice may not be as useful as I would be led to 
believe.

I find worth in what we have today, and look forward to better tools of 
tomorrow.

-----Original Message-----
 <snip>