IDS mailing list archives

RE: Network IDS

From: "Zach Forsyth" <Zach.Forsyth () kiandra com>
Date: Tue, 26 Aug 2003 10:23:03 +1000

How do we classify a NID that can automatically adjust firewall rules to
enable shunning etc?
Cisco IDS devices spring to mind...

Although technically correct, I think it is a bit petty to state that
IDS does not help to "protect" your network/systems.

Cheers

z

-----Original Message-----
From: Steffen Kluge [mailto:kluge () fujitsu com au] 
Sent: Friday, 22 August 2003 11:53 AM
To: focus-ids () securityfocus com
Subject: Re: Network IDS


On Fri, 2003-08-22 at 00:42, Barry Fitzgerald wrote:

Andreas Krennmair wrote:

Then a NIDS is not the right thing for you. Network Intrusion 
Detection is not about protecting systems.


Now, the semantic argument that says that "NIDS is not about 
protecting
systems" basically states that NIDS is about protecting networks.  
Factually, this is true - Host IDS is about protecting a *system* and 
NIDS is about detecting intrusions over the network.  But never, ever,

ever, ever forget that a network is composed of a group of systems.


I believe Andreas' gripe was not with the word "systems" but with the
word "protect". A NIDS *detects* intrusions (or more generally, unusual
activity), but it cannot protect against them. It just informs you that
they're happening, nothing more, nothing less.

Of course, that information can aid *you* in taking steps to mitigate
risks or eliminate threats before they become a problem. Most intrusions
don't happen like a lightning bolt out of blue sky, they are usually
preceded by activity NIDS sensors can spot (vulnerability scanning,
random attacks against non-vulnerable systems, etc). Thus, if your NIDS
spots the forebodings of intrusions it can give you the critical edge
for protecting those vulnerable systems in time.

Mind you, hybrid automatic systems do exist, such as combinations of
NIDS detection engines and packet filters, but they wouldn't be
correctly termed "NIDS".

Cheers
Steffen.



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the worldÂs premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------

Current thread:

Re: Network IDS, (continued)
- - - Re: Network IDS Frank Knobbe (Aug 28)
    - Re: Network IDS Andreas Krennmair (Aug 25)
    - Re: Network IDS Barry Fitzgerald (Aug 26)
- RE: Network IDS Fergus Brooks (Aug 21)
- RE: Network IDS Terry Ziemniak (Aug 21)
- RE: Network IDS Robert.Lupo (Aug 21)
  - Re: Network IDS Gary Flynn (Aug 21)
  - RE: Network IDS Steffen Kluge (Aug 25)
- Re: Network IDS José Joaquín (Aug 21)
- RE: Network IDS Zach Forsyth (Aug 25)
- RE: Network IDS Zach Forsyth (Aug 25)
  - Re: Network IDS Joel Snyder (Aug 26)
  - Re: Network IDS Andreas Krennmair (Aug 26)
- RE: Network IDS Scott M. Trieste (Aug 26)
  - RE: Network IDS Frank Knobbe (Aug 28)
    - RE: Network IDS Mark Teicher (Aug 28)
- RE: Network IDS Zach Forsyth (Aug 26)
- Re: Network IDS Andrew Plato (Aug 28)
  - Re: Network IDS Stephen P. Berry (Aug 29)