Firewall Wizards mailing list archives
Re: Intrusion Detection
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Tue, 14 Apr 1998 19:17:01 -0400
Aleph One wrote:
To me the big open question in ID is "why?" not "what?"Because if you do not alert the user that he is under attack by the attacks that you can detect and evade he will never know when the hacker moves on to some new attack your gizmo does not know about yet.
That's what I'm talking about. IDS' useful role is as a backstop against intrusions that have succeeded, not as frontal armor against known attacks which (most likely) won't succeed. Note that most of the current IDS products on the market are the "frontal armor" type. I guess I'm doing a lousy job of explaining myself (chalk it up to fatigue) -- the place where IDS are valuable is as automated tools to do what Ches used to call "Tar Babies" -- traps and alarms that are scattered within the network, to call attention to the presence of unusual activity. This DOES NOT mean that they'll catch the attack based on the attack technique used!! I'm going to have a decent dinner and see if I can post a decent description of what I'm talking about later this evening. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Intrusion Detection shantanu bhattacharya (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection tqbf (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Paul D. Robertson (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Aleph One (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Aleph One (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 15)
- Re: Intrusion Detection M. Dodge Mumford (Apr 14)
- Re: Intrusion Detection emaiwald (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Aleph One (Apr 15)
- Re: Intrusion Detection emaiwald (Apr 17)
- Re: Intrusion Detection Mark Horn [ Net Ops ] (Apr 20)
- Re: Intrusion Detection Marcus J. Ranum (Apr 20)