RE: IDS is dead, etc

["JAVIER OTERO" <jotero () SMARTEKH com>]

In my opinion IDS will dead in actual form, when you are notified about an atack is better that dont know, but is 
better stop the attack.
The IDS must evolutionate to firewall technology and viceversa, firewall must include IDS technolgy, for stop attacks.
One vendor that is doing this is netscreen, they have the IDP (IDS + prevention)and they are working in add to their FW 
some IDP features. This will put in the internet gateway more security, and more tuning, but still will be required the 
internal IDP, like antivirus you require in gateway, mail and PC they can still put an infected diskete.

Ing. Fco. Javier Otero De Alba 
Diplomado en Seguridad Informática ITESM CEM 
Grupo Smartekh 
Antivirus Expertos 
Bussiness Continuity 
Inftegrity 
5243-4782 al 84 Ext.300
México, D.F. 



-----Mensaje original-----
De: Jason Haar [mailto:Jason.Haar () trimble co nz]
Enviado el: Lunes, 11 de Agosto de 2003 08:18 p.m.
Para: focus-ids () securityfocus com
Asunto: Re: IDS is dead, etc


On Fri, Aug 08, 2003 at 10:24:46AM -0700, Scott Wimer wrote:
> I really like your description of NIDS as AV scanners for the network. 
>  That's classic.  Although, some will argue that the more behavioral 
> oriented NIDS have moved past that point.  *shrug*  

Heh - as they say, "there's nothing new under the Sun". AV scanners have had
"behavioral" characteristics for years - some even run sandboxes in which to
partially run the suspected file to see what it does. All this falls under
"heuristics" technology.

> invaluable tool for network managers.  But, a NIDS is not the security 
> "solution" that they are marketed as.

They have their place - but you have to think outside the square. The best
use I have found for our IDS network is *not* on it's 1,000+ alerts a day
that it generates, it's on the hand-written rules that basically say "here
are the network things our DMZ hosts are allowed to do, PAGE WHEN THEY DO
ANYTHING ELSE"... 

Can you say "Zero False Positives"? [wow: IDS marketing Nirvana]

IDS's are good for showing senior management how "dangerous" the Internet is
- so that you can get more funding to buy more IDS systems - err,
wait-a-minute... ;-)

Actually there's another use. Having a visible IDS within your IT Team
allows you to show your network and server groups just _why_ they need to
install patches/stay up-to-date with training,etc. It can be hard for
Security staff to push better practices when all these groups feel is "more
work for me". I forever hear people saying "oh, no-one would be interested
in hacking *us*" - unfortunately it's all totally impersonal these day.

Eveyone is a target.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------


---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------