IDS mailing list archives
Re: Network IDS
From: Andreas Krennmair <netnews () synflood at>
Date: Tue, 26 Aug 2003 20:53:19 +0200
* Barry Fitzgerald <bkfsec () sdf lonestar org> [gmane.comp.security.ids]:
I suppose that depends on how you define "protect". If you define "protection" as stopping the thief, then you're absolutely correct. If you define "protection" as alerting you when something happens, then an NIDS does protect your network. I see where you're going with this, but I don't think that the distinction is that simple to draw. If I have lights on my house to try to scare away a burglar, or - more appropriately - if my front door is wired with explosives (sort of like an IPS blowing a packet away :) ) and if the burglar then tries to break in, they should be blown to bits, right? Well, what if they get around the wiring of the bomb, having noticed that the bomb was there? (or assuming that it might be) Then, any non-related system that detects the break-in is assisting in protection of the assets, correct?
This analogy is flawed - network intrusion detection systems can't be seen. That's the big difference to the light in the house or the explosives.
Being alerted is a part of protection. Again, I see your point on a semantic level, but refuse to accept that NIDS/HIDS have no part in protection of the infrastructure. Do they, alone, act to protect the infrastructure? No - but they play a part.
How is your system protected when the exploit succeeds and is detected by the NIDS? Your system is compromised. The only thing where NIDS could be interesting is to record all attacks and to separate the known exploits from the unknown ones. That is, IMHO, the only really useful way NIDS could be used. Regards, Andreas Krennmair --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂs premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ---------------------------------------------------------------------------
Current thread:
- Network IDS Duston Sickler (Aug 19)
- Re: Network IDS Andreas Krennmair (Aug 21)
- Re: Network IDS Barry Fitzgerald (Aug 21)
- Re: Network IDS Steffen Kluge (Aug 25)
- Re: Network IDS Sam f. Stover (Aug 25)
- Re: Network IDS Barry Fitzgerald (Aug 25)
- Re: Network IDS Andreas Krennmair (Aug 26)
- Re: Network IDS Barry Fitzgerald (Aug 28)
- Re: Network IDS Frank Knobbe (Aug 28)
- Re: Network IDS Mark Teicher (Aug 28)
- Re: Network IDS Frank Knobbe (Aug 28)
- Re: Network IDS Barry Fitzgerald (Aug 21)
- Re: Network IDS Andreas Krennmair (Aug 21)
- Re: Network IDS Andreas Krennmair (Aug 25)
- Re: Network IDS Barry Fitzgerald (Aug 26)
- <Possible follow-ups>
- RE: Network IDS Robert.Lupo (Aug 21)
- Re: Network IDS Gary Flynn (Aug 21)