IDS mailing list archives
RE: IDS is dead, etc
From: Omar Herrera <oherrera () prodigy net mx>
Date: Wed, 13 Aug 2003 00:01:27 -0500
Sounds good, but... It seems more a wish than a prediction. There simply is no technology that will be able to handle and correlate all the variables needed for an effective "intrusion prevention" (I personally don't even like the term "Intrusion prevention systems", it is confusing and ambiguous). If right now, we are having a hard time configuring a simple nIDS to do some automatic response (even with the best of our security experts involved). How is that technology going to do that without causing more harm (DoS?) than good? Basically, a nIDS with response capabilities to cut connections has the same effect as instructing a firewall to block the source of an attack, identified by a nIDS. To be able to work effectively, this device would need to: * Recognize that we have customer/business partner relationships * Relate Ip addresses, services and network names with corresponding business relationships and process * Know what your business is about (at least in terms of what the network is used for) * Know how and why business processes change * Know what is done at which hour, day, month * correlate all of the above, and much more, and apply filters accordingly * And also generate reports the way your boss likes them Automated systems can be used to do each of these activities individually (at least those that are simple enough) fairly well, but when you try to put them together, the automatic part of that system will cease to exist because you will have someone behind fine tuning the thing, permanently. The key is "correlation", and right now I don't se a better security solution than a well prepared security professional to correlate that. In my opinion, instead of trying to build something to replace those experts with technology that right now is unable to do so, we should focus on making better tools to help them correlate security events. If I remember correctly, building the perfect intelligent device was an idea of the early stages of artificial intelligence, and people in that area recognized decades ago that it is more feasible to create small systems to deal with relatively simple tasks and a small number of variables. Just some thoughts... Omar Herrera -----Original Message----- From: JAVIER OTERO [mailto:jotero () SMARTEKH com] Sent: Martes, 12 de Agosto de 2003 09:28 a.m. To: Jason Haar; focus-ids () securityfocus com Subject: RE: IDS is dead, etc In my opinion IDS will dead in actual form, when you are notified about an atack is better that dont know, but is better stop the attack. The IDS must evolutionate to firewall technology and viceversa, firewall must include IDS technolgy, for stop attacks. One vendor that is doing this is netscreen, they have the IDP (IDS + prevention)and they are working in add to their FW some IDP features. This will put in the internet gateway more security, and more tuning, but still will be required the internal IDP, like antivirus you require in gateway, mail and PC they can still put an infected diskete. Ing. Fco. Javier Otero De Alba --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
Current thread:
- Re: IDS is dead, etc, (continued)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- RE: IDS is dead, etc Security Conscious (Aug 11)
- Re: IDS is dead, etc Jason Haar (Aug 11)
- Re: IDS is dead, etc Frank Knobbe (Aug 11)
- RE: IDS is dead, etc Bob Buel (Aug 11)
- Re: IDS is dead, etc Barry Fitzgerald (Aug 11)
- Belaboring the point of FPs Paul Schmehl (Aug 12)
- Re: Belaboring the point of FPs Martin Roesch (Aug 13)
- Message not available
- Off-Topic: perfect firewall (was Re: IDS is dead, etc) Bennett Todd (Aug 11)
- RE: IDS is dead, etc Omar Herrera (Aug 13)
- Re: IDS is dead, etc Jonathan Rickman (Aug 15)
- Re: IDS is dead, etc Paul Schmehl (Aug 19)
- Re: IDS is dead, etc Jonathan Rickman (Aug 21)