IDS mailing list archives

Re: Network IDS

From: Andreas Krennmair <netnews () synflood at>
Date: Tue, 26 Aug 2003 20:53:19 +0200

* Barry Fitzgerald <bkfsec () sdf lonestar org> [gmane.comp.security.ids]:

 I suppose that depends on how you define "protect".  If you define 
 "protection" as stopping the thief, then you're absolutely correct.  If 
 you define "protection" as alerting you when something happens, then an 
 NIDS does protect your network.  I see where you're going with this, but 
 I don't think that the distinction is that simple to draw.  If I have 
 lights on my house to try to scare away a burglar, or - more 
 appropriately - if my front door is wired with explosives (sort of like 
 an IPS blowing a packet away :) ) and if the burglar then tries to break 
 in, they should be blown to bits, right?  Well, what if they get around 
 the wiring of the bomb, having noticed that the bomb was there? (or 
 assuming that it might be)  Then, any non-related system that detects 
 the break-in is assisting in protection of the assets, correct?


This analogy is flawed - network intrusion detection systems can't be
seen. That's the big difference to the light in the house or the
explosives.

 Being alerted is a part of protection.  Again, I see your point on a 
 semantic level, but refuse to accept that NIDS/HIDS have no part in 
 protection of the infrastructure.  Do they, alone, act to protect the 
 infrastructure?  No - but they play a part.


How is your system protected when the exploit succeeds and is detected
by the NIDS? Your system is compromised. The only thing where NIDS could
be interesting is to record all attacks and to separate the known
exploits from the unknown ones. That is, IMHO, the only really useful
way NIDS could be used.

Regards,
Andreas Krennmair


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the worldÂs premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------

Current thread:

Network IDS Duston Sickler (Aug 19)
- Re: Network IDS Andreas Krennmair (Aug 21)
  - Re: Network IDS Barry Fitzgerald (Aug 21)
    - Re: Network IDS Steffen Kluge (Aug 25)
    - Re: Network IDS Sam f. Stover (Aug 25)
    - Re: Network IDS Barry Fitzgerald (Aug 25)
    - Re: Network IDS Andreas Krennmair (Aug 26)
    - Re: Network IDS Barry Fitzgerald (Aug 28)
    - Re: Network IDS Frank Knobbe (Aug 28)
    - Re: Network IDS Mark Teicher (Aug 28)
    - Re: Network IDS Frank Knobbe (Aug 28)
    - Re: Network IDS Andreas Krennmair (Aug 25)
    - Re: Network IDS Barry Fitzgerald (Aug 26)
- RE: Network IDS Fergus Brooks (Aug 21)
- RE: Network IDS Terry Ziemniak (Aug 21)
- <Possible follow-ups>
- RE: Network IDS Robert.Lupo (Aug 21)
  - Re: Network IDS Gary Flynn (Aug 21)

(Thread continues...)