IDS mailing list archives
Re: IDS is dead, etc
From: Bennett Todd <bet () rahul net>
Date: Fri, 8 Aug 2003 15:18:15 -0400
2003-08-08T14:15:25 Scott Wimer:
Here's the quote about perfecty implemented firewalls that I think is germain. Hopefully I'm not taking it out of context:
Yes, it is, and no, you didn't.
I really ought to retire from this, every time I try and clarify I
spew out more ambiguities, which you rightly pounce on. Not just
abiguities, even; your interpretation of my words is the most
reasonable. I'm not expressing my intent well.
Yup. All code must be assumed to be vulnerable. What I should have
written, to express what I was thinking, was instead something more
along the lines of
"A perfectly implemented firewall allows no protocols
through for which there are horribly broken implementations
in use inside."
Yup, all code must be assumbed to be vulnerable, but if you're
going to use the internet, you've gotta let some code interact with
it. You can greatly improve your life if the code you use seems to
be well-designed and responsibly implemented, if it's got a good
security track record --- few or no reported security bugs.
Won't be perfect, but combined with very aggressive patch mgmt
to let you deploy a security fix quickly and cheaply, and active
monitoring of security lists, it can be good --- and at that point,
IDS is no longer playing the role of telling you about successful
attacks, which was where I was really trying to go with this thread.
I may very well be putting words in your mouth (for which I appologize) when I write about the silliness of expecting that any protocol will be implemented vulnerability free -- on any platform.
Nope, you're responding reasonbly to the words I wrote, drat it. I keep eating 'em. I'm getting stuffed!
After a brief review of Mazu's Profiler and Enforcer docs, I'm currious how it handles attacks that come in via encrypted means.
Mazu doesn't look into content at all (or at least, they didn't last time I looked closely into their product; there was discussion of some additions in that direction, possibly, in the future). They provide a really importantly new and exciting analysis of <srcip, dstip, proto, dstport, timestamp> tuples, over time. An attack that Mazu could detect would be something like a worm that provokes anomalous network traffic patterns --- machines that didn't use to talk to each other, begin to; volumes change radically; etc.
From what I've seen, to detect and respond to all categories of exploits in a timely manner requires some sort of defense mechanism implemnted at the host.
Sounds right to me. IDS marketers claiming their products detect all categories of exploits, aren't being truthful. That said, good IDSes are awfully helpful; they don't see everything, but they see a lot of stuff that's good to know about. -Bennett
Attachment:
_bin
Description:
Current thread:
- RE: IDS is dead, etc, (continued)
- RE: IDS is dead, etc Tom Arseneault (Aug 07)
- Re: IDS is dead, etc Sebastian Schneider (Aug 07)
- Re: IDS is dead, etc Barry Fitzgerald (Aug 07)
- Re: IDS is dead, etc Bennett Todd (Aug 08)
- Re: IDS is dead, etc Sam f. Stover (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- RE: IDS is dead, etc Security Conscious (Aug 11)
- Re: IDS is dead, etc Jason Haar (Aug 11)
- RE: IDS is dead, etc Tom Arseneault (Aug 07)
- Re: IDS is dead, etc Frank Knobbe (Aug 11)
- RE: IDS is dead, etc Bob Buel (Aug 11)
- Re: IDS is dead, etc Barry Fitzgerald (Aug 11)
- Belaboring the point of FPs Paul Schmehl (Aug 12)
- Re: Belaboring the point of FPs Martin Roesch (Aug 13)
- Message not available
- Off-Topic: perfect firewall (was Re: IDS is dead, etc) Bennett Todd (Aug 11)
- RE: IDS is dead, etc Omar Herrera (Aug 13)