RE: Intrusion Detection Systems, Best of breed?

["Ofir Arkin" <ofir () sys-security com>]

This might be interesting. 

According to several criteria we can order the firewall (or some other
device) to send the traffic over to another system. I like the concept
as MJR also suggested that.

We can use some kind of "Dynamical NATing" to convert the original IP
Destination Address with the Honeypot IP Address...

Can we do this with Open Source?

Another thought, you really need to make it REAL GOOD so it will not be
detected easily. Hence, same Stack manipulations and other TCP/IP tricks
to make it look nice...


Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA 

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com] On Behalf Of Lance Spitzner
Sent: ג 25 דצמבר 2001 4:06
To: Talisker
Cc: R. DuFresne; Ofir Arkin; 'ROB SLAUGHTER'; firewall-wizards () nfr com
Subject: Re: [fw-wiz] Intrusion Detection Systems, Best of breed?

On Mon, 24 Dec 2001, Talisker wrote:

> Ofir is absolutely right (as always) the IDS defence in depth approach
is
> best, I steered clear of it in my original post so as not to confuse
too
> much, (but NIDS is still the IDS of choice and offers more hits per
pound)

heh heh, can't pass this up. Since we are talking about defence in
depth,
how about the use of honeypot technologies to add to detection?
Honeypots
have the advantage of reducing false positives while capturing false
negatives.

Thoughts?

lance


> is extremely valuable but needs more TLC than a NIDS, (hmm depending
upon
> how much control you have over how the host monitored is configured)
AIDS
> are also a very nice tool the main HIDS I have played with has it
built in,
> with some heuristics thrown in for good measure.  When looking to
deploy
> HIDS and NIDS it's worth considering Hybrid IDS which combine the 2 at
host
> level, though there are very few products offering this.  A very
important
> consideration these days is Network Node IDS which is basically a
central
> reporting personal firewall.  The USAF have reportedly just purchased
> 500,000 of them for their desktops. To reduce cost I would suggest
only
> placing these on servers.
>
> Ron said, "They tend to be noisy little beasts, that send out false
alarms
> and
> positives till your security staff goes numb" I agree but I still like
to
> see a NIDS outside the firewall, not necessarily to react to, but for
stats
> to spot changing trends and also for the security staff to see the
threat.
> Though given an "either or" choice I'd always opt for inside the
firewall.
> Marcus said about HIDS "(what happens when the underlying O/S crashes
> from a DOS attack?) " then you can bring in a network management tool
that
> pings your critical devices periodically, once again it's just another
piece
> of information in that defence in depth scenario.  NOTE I'm still not
> advocating SNMP <v3

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards