Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: tqbf () secnet com
Date: Mon, 16 Feb 1998 12:02:32 -0600 (CST)
One of the major reasons why passive-listening ID systems have been getting so much hype is that they are being advertised as a way to detect attacks that may originate inside the network perimeter protected by the conventional firewall. In other words the claim is that they provide threat detection
AMEN. TESTIFY, BROTHER CARDON! A spiel we have already received from a vendor that shall remain nameliss is that attacks involving forged internal addresses, or forged link-layer addresses, are "unrealistic" given the threat model that ID systems attempt to address. Something worth remembering is that our results take a major bite out of the claim that ID systems are useful against a skilled internal attacker. Someone in your organization that wants to attack you without being detected by an IDS will just forge two-way traffic and confuse the IDS completely. This is the area where I see passive network IDS as being the least useful. ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection Craig Brozefsky (Feb 14)
- Re: Important Comments re: INtrusion Detection Marcus J. Ranum (Feb 14)
- Re: Important Comments re: INtrusion Detection Aaron Bawcom (Feb 15)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Bret Watson (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Rick Morrow (Feb 15)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 17)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 17)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)