Re: Network IDS

[Steffen Kluge <kluge () fujitsu com au>]

On Fri, 2003-08-22 at 00:42, Barry Fitzgerald wrote:
> Andreas Krennmair wrote:
> > Then a NIDS is not the right thing for you. Network Intrusion Detection
> > is not about protecting systems.
>
> Now, the semantic argument that says that "NIDS is not about protecting 
> systems" basically states that NIDS is about protecting networks.  
> Factually, this is true - Host IDS is about protecting a *system* and 
> NIDS is about detecting intrusions over the network.  But never, ever, 
> ever, ever forget that a network is composed of a group of systems.

I believe Andreas' gripe was not with the word "systems" but with the
word "protect". A NIDS *detects* intrusions (or more generally, unusual
activity), but it cannot protect against them. It just informs you that
they're happening, nothing more, nothing less.

Of course, that information can aid *you* in taking steps to mitigate
risks or eliminate threats before they become a problem. Most intrusions
don't happen like a lightning bolt out of blue sky, they are usually
preceded by activity NIDS sensors can spot (vulnerability scanning,
random attacks against non-vulnerable systems, etc). Thus, if your NIDS
spots the forebodings of intrusions it can give you the critical edge
for protecting those vulnerable systems in time.

Mind you, hybrid automatic systems do exist, such as combinations of
NIDS detection engines and packet filters, but they wouldn't be
correctly termed "NIDS".

Cheers
Steffen.

Attachment: signature.asc
Description: This is a digitally signed message part