Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Important Comments re: INtrusion Detection

From: tqbf () secnet com
Date: Mon, 16 Feb 1998 12:02:32 -0600 (CST)
One of the major reasons why passive-listening ID systems have been getting  
so much hype is that they are being advertised as a way to detect attacks  
that may originate inside the network perimeter protected by the conventional  
firewall.  In other words the claim is that they provide threat detection  


AMEN. TESTIFY, BROTHER CARDON!

A spiel we have already received from a vendor that shall remain nameliss
is that attacks involving forged internal addresses, or forged link-layer
addresses, are "unrealistic" given the threat model that ID systems
attempt to address.

Something worth remembering is that our results take a major bite out of
the claim that ID systems are useful against a skilled internal attacker.
Someone in your organization that wants to attack you without being
detected by an IDS will just forge two-way traffic and confuse the IDS
completely. This is the area where I see passive network IDS as being the
least useful.

-----------------------------------------------------------------------------
Thomas H. Ptacek                                        Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf                           "mmm... sacrilicious"
Previous By Date Next
Previous By Thread Next

Current thread: