IDS mailing list archives

Re: IDS is dead, etc

From: Scott Wimer <scottw () cylant com>
Date: Fri, 08 Aug 2003 10:24:46 -0700

Bennett,

I think we are on the same page as to the utility of IDS systems.

Where we differ is in our estimation of the level of vulnerability ofsoftware that is "known" to be good and secure. Over the course ofthe summer I've been given more insight into the gray and black hatworld. The number of systems that are backdoored -- today, and thenumber of non-public vulnerabilities and exploits is slightly disturbing.

Perhaps the most disturbing is that the bar is really only raised forthe script kiddies; they never posed a substantial risk anyway.

I really like your description of NIDS as AV scanners for the network.That's classic. Although, some will argue that the more behavioraloriented NIDS have moved past that point. *shrug* A good NIDS is aninvaluable tool for network managers. But, a NIDS is not the security"solution" that they are marketed as.


Regards,
scottwimer

Bennett Todd wrote:

2003-08-08T12:37:24 Scott Wimer:

The assumption that human beings can design, write, and installsoftware without error is WRONG.



No disagreement there. I don't presume software without error.

I do maintain, however, that by combining tight configuration
control with complete abstinance from known-bad software, you can
raise the barrier sufficiently high that the attacks that succeed
will be so wildly new and out of left field that your IDS would be
no more help than your firewall. IDSes detect known problems;
they're the "anti-virus scanners" of the network.

Given such a setting, an IDS is still a great idea, as an
educational tool, but it's not helping to tighten your protections,
because it won't alarm on anything that succeeds.

-Bennett


--
Scott M. Wimer, CTO                      Cylant
www.cylant.com                           121 Sweet Ave.
v. (208) 883-4892                        Suite 123
c. (208) 301-0370                        Moscow, ID 83843
There is no Security without Control.


---------------------------------------------------------------------------

Captus Networks - Integrated Intrusion Prevention and Traffic Shaping- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans

- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

Current thread:

Re: IDS is dead, etc, (continued)
- - - Re: IDS is dead, etc M. Dodge Mumford (Aug 07)
- RE: IDS is dead, etc Tom Arseneault (Aug 06)
  - RE: IDS is dead, etc Mark Tinberg (Aug 07)
- RE: IDS is dead, etc Tom Arseneault (Aug 07)
  - Re: IDS is dead, etc Sebastian Schneider (Aug 07)
  - Re: IDS is dead, etc Barry Fitzgerald (Aug 07)
    - Re: IDS is dead, etc Bennett Todd (Aug 08)
    - Re: IDS is dead, etc Sam f. Stover (Aug 11)
    - Re: IDS is dead, etc Scott Wimer (Aug 11)
    - Re: IDS is dead, etc Bennett Todd (Aug 11)
    - Re: IDS is dead, etc Scott Wimer (Aug 11)
    - Re: IDS is dead, etc Bennett Todd (Aug 11)
    - Re: IDS is dead, etc Scott Wimer (Aug 11)
    - Re: IDS is dead, etc Bennett Todd (Aug 11)
    - RE: IDS is dead, etc Security Conscious (Aug 11)
    - Re: IDS is dead, etc Jason Haar (Aug 11)
    - Re: IDS is dead, etc Frank Knobbe (Aug 11)
    - RE: IDS is dead, etc Bob Buel (Aug 11)
    - Re: IDS is dead, etc Barry Fitzgerald (Aug 11)
    - Belaboring the point of FPs Paul Schmehl (Aug 12)
    - Re: Belaboring the point of FPs Martin Roesch (Aug 13)

(Thread continues...)