Firewall Wizards mailing list archives
Re: Intrusion Detection Systems, Best of breed?
From: Lance Spitzner <lance () honeynet org>
Date: Mon, 24 Dec 2001 22:06:25 -0600 (CST)
On Mon, 24 Dec 2001, Talisker wrote:
Ofir is absolutely right (as always) the IDS defence in depth approach is best, I steered clear of it in my original post so as not to confuse too much, (but NIDS is still the IDS of choice and offers more hits per pound)
heh heh, can't pass this up. Since we are talking about defence in depth, how about the use of honeypot technologies to add to detection? Honeypots have the advantage of reducing false positives while capturing false negatives. Thoughts? lance
is extremely valuable but needs more TLC than a NIDS, (hmm depending upon how much control you have over how the host monitored is configured) AIDS are also a very nice tool the main HIDS I have played with has it built in, with some heuristics thrown in for good measure. When looking to deploy HIDS and NIDS it's worth considering Hybrid IDS which combine the 2 at host level, though there are very few products offering this. A very important consideration these days is Network Node IDS which is basically a central reporting personal firewall. The USAF have reportedly just purchased 500,000 of them for their desktops. To reduce cost I would suggest only placing these on servers. Ron said, "They tend to be noisy little beasts, that send out false alarms and positives till your security staff goes numb" I agree but I still like to see a NIDS outside the firewall, not necessarily to react to, but for stats to spot changing trends and also for the security staff to see the threat. Though given an "either or" choice I'd always opt for inside the firewall. Marcus said about HIDS "(what happens when the underlying O/S crashes from a DOS attack?) " then you can bring in a network management tool that pings your critical devices periodically, once again it's just another piece of information in that defence in depth scenario. NOTE I'm still not advocating SNMP <v3
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Intrusion Detection Systems, Best of breed? ROB SLAUGHTER (Dec 14)
- Re: Intrusion Detection Systems, Best of breed? Talisker (Dec 22)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 23)
- RE: Intrusion Detection Systems, Best of breed? Predrag Zivic (Dec 23)
- Re: Intrusion Detection Systems, Best of breed? Stephen P. Berry (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? Predrag Zivic (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Predrag Zivic (Dec 23)
- RE: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 23)
- Re: Intrusion Detection Systems, Best of breed? Talisker (Dec 24)
- Re: Intrusion Detection Systems, Best of breed? Lance Spitzner (Dec 25)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Lance Spitzner (Dec 27)
- RE: Intrusion Detection Systems, Best of breed? franks (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? Robin S. Socha (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 26)
- Re: Intrusion Detection Systems, - Honeypots? Lance Spitzner (Dec 27)