Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: "Paul D. Robertson" <proberts () clark net>
Date: Mon, 16 Feb 1998 19:56:05 -0500 (EST)
On Mon, 16 Feb 1998, Paul M. Cardon wrote:
You do not need to be a proxy to have this information. Being a proxy allows you to do network intrusion detection WITHOUT this information. The problem you need to solve at this point is "how the hell do we get this kind of information to the IDS in real time, in order to make my non-proxy sniffer IDS work."One of the major reasons why passive-listening ID systems have been getting so much hype is that they are being advertised as a way to detect attacks that may originate inside the network perimeter protected by the conventional firewall. In other words the claim is that they provide threat detection originating from any device on the network targeting any other device on the network. However, until these systems can obtain all of the secondary information Thomas mentions above then they are severely limited in their advertised capabilities.
Hmmm, I've not thought all of this completely through yet, but how much of the original "doesn't work for IDS" stuff is valid if the IDS is on a chokepoint swtich with a promiscuous port, and every other device on the switch (just routers I'd guess) is on a port where only packets from their MAC address can come out? What are we left with as an IDS vulnerability in that scenerio if we assume the routers can, and if we assume the routers can't be compromised? Digging for solutions... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Bret Watson (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Rick Morrow (Feb 15)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 17)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 17)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
- Re: Important Comments re: INtrusion Detection Doug Hughes (Feb 18)