Re: INtrusion Detection

[Aleph One <aleph1 () dfw dfw net>]

On Tue, 17 Feb 1998, Gary Crumrine wrote:

> I started a similar thread a few days ago on the IDS list, and it seems to 
> have spilled over to here.
>
> One thing that I have noticed, is that we tend to deal in absolutes...  A 
> product has to meet x,y,z absolutely or it is considered BAD.  I totally 
> disagree with that thought stream.   Take a look at the needs of a bank, 
> VS. the little shop down the block that wants to protect their ten employee 
> internet connection.  Who's needs are more?  I think that the first answer 
> is both are equal.  But the poor guy doesn't have the $ to spend like the 
> bank.   He needs something...so he is willing to accept more of a risk, and 
> use something less robust IE Costing less.  It makes damn good sense to me 
> to recommend a product that may be less robust, but affordable in lieu of 
> him going totally without.....
>
> I think we are becoming too closed minded these days.  We need to root out 
> solutions, not attacking each other's ideas
> My 2 cents worth

I would disagree. It is not that we are becoming more closed minded, the
problem is that there is no way to measure the effectiviness of a security
solution. There is no measuring stick. NCSA certification is a joke. If we
where to belive every firewall or IDS vendor their software is as good or
better than the nexts guy and can protect both the little guy and the
large banks equaly.

It was not until the SNI paper that some light was shed into the basic
design flaws and vulnerabilities of network IDS's. Before it every IDS
vendor would claim their software was not vulnerable. How can one
recommend a product over another without having such information?

>               Vern

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01