Firewall Wizards mailing list archives
RE: Automated IDS response
From: "Russ Wolfe" <rwolfe () hxcorp com>
Date: Tue, 15 Feb 2000 22:39:59 -0500
One more point, a FW-IDS system that re-configures itself affords the opportunity for the disruption of legitimate traffic by posing as legitimate addresses doing illegitimate things...a whole new spin on DOS ;) Russ Wolfe Halifax Corporation <<< "Marcus J. Ranum" <mjr () nfr net> 2/15 11:52a >>> Crumrine, Gary L wrote:
When IDS systems first hit the streets a couple of years ago, I think many were caught up in all the GA-GA bells and whistles marketing hype that accompanied their release. After some time to evaluate the products and adjust our thought processes on how they are implemented, I think we have come full circle on their usefulness and I know we are a lot wiser in our implementation.
Amen to that, brother Crumrine! :) And it's about time, too. A lot of the early IDS' promised things that were patently ridiculous - kind of like the early generation of firewalls did. ("If you have a firewall, you don't need to worry about the security of the rest of your network...") Now I think a lot of reality has set in. People have discovered that IDS is a useful tool if deployed correctly, and that it is valuable for learning what's going on inside and out of the network, but nobody expects that it'll somehow act like William Gibson-esque "ICE" and automatically "heal" a broken network or backtrack and destroy the bad guys.
I for one now tend to back off from allowing a product to automatically modify my configurations in response to something that has the potential to be malicious. Sounds a bit like jumping at shadows.
Yup. There's also an analogy here to firewalls. :) Having a firewall that automatically modifies its configuration is also a bad thing.
I lean towards manual corrective measures that are a result of some form of human thought process and analysis. Guess I am afraid of AI being introduced at this level. In theory, it sounds like a great idea, but it rarely works out in real life. At least to the degree that would make me comfortable with it. Maybe someday...
If there was "real" AI it would be OK. But I think machine intelligences won't happen for a while and, if they do, they will be too expensive to have sitting watching a network. ;) (If I had a machine intelligence I'd teach it to be a stock day-trader not an IDS...)
Right now, I trust a human more than a brick.
Those are very different technologies. ;) You can trust a brick much better than a human if what you're doing is building a garage. Humans are terrible structural components. ;) Bricks are pretty bad network managers, tho. mjr.
Current thread:
- RE: Automated IDS response, (continued)
- RE: Automated IDS response Kopf , Patrick E. (Feb 12)
- Re: Automated IDS response Michael H. Warfield (Feb 14)
- Re: Automated IDS response Michael B. Rash (Feb 14)
- Re: Automated IDS response Andy (Feb 14)
- Re: Automated IDS response Lance Spitzner (Feb 15)
- Re: Automated IDS response Michael H. Warfield (Feb 14)
- RE: Automated IDS response Robert Graham (Feb 14)
- RE: Automated IDS response Crumrine, Gary L (Feb 15)
- RE: Automated IDS response Marcus J. Ranum (Feb 15)
- Re: Automated IDS response Paul Cardon (Feb 17)
- RE: Automated IDS response Robert Graham (Feb 15)
- RE: Automated IDS response Russ Wolfe (Feb 16)
- RE: Automated IDS response ark (Feb 17)
- RE: Automated IDS response Kopf , Patrick E. (Feb 12)