AW: Recent anti-NIDS Gartner article

["Liesen, Detmar (LDS)" <Detmar.Liesen () lds nrw de>]

The Gartner article has a very narrow point of view.
IMHO an IDS is more but a NIDS or IPS or whatever network-based IDS.

An IDS (I would say Distributed IDS) is a system of several sensors - network
based and host based - and a central console that provides for good analysis and
automagic correlation.

Why do folks only talk about network based IDS?

AND: A modern network-based IDS or IPS (e.g. Netscreen IDP) supports
fine-granular policies and shall be deployed not just behind an
internet-firewall but on the internal network as well.

Most people don't care about well designed infrastructures with various
securiy-zones of different security and surveillance needs. 

Like most articles, the gartner paper assumes that there be one big and mighty
device that provides security for a whole network. This is rubbish.

The point is firewalls cannot see into encrypted packets. A host IDS does see
the decrypted data, so there is no problem.
Firewalls cannot do full-range Intrusion Analysis and IMHO they shall not
anyway.

A firewall is your first line of defense and shall be as simple and slim as
possible, so that misconfiguration due to high complexity is unlikely.

I hope that not too many executives believe that paper of gartner...

Greetings,
Detmar

-----Ursprungliche Nachricht-----
Von: Stephen Samuel [mailto:samuel () bcgreen com]
Gesendet: Dienstag, 17. Juni 2003 21:11
An: Mike Blomgren; focus-ids () securityfocus com
Betreff: Re: Recent anti-NIDS Gartner article


Mike Blomgren wrote:
> If IDS is the looser, and a firewall is the solution - then why do we
> have surveillance cameras when we would be better off with good locks on
> our doors? 

To folow the analogy: cameras record things that locks can't
stop.  A  camera/NIDS with humans paying good attention to it
can recognize things like somebody breaking a window, loitering
suspiciously, etc.

No matter how good your door locks may be, it still won't stop
someone from bringing in a vehicle(tank) as a battering ram.
or doing something as breaking a window to get access (had that
happen to me twice!). Not to mention the use of a lockpick.

With a good recording system (with or without human intervention)
they can sometimes provide infomation on the identity, methods
and intentions of an intruder. This can be useful either for
filing later charges or simply determining what needs to be fixed
to prevent a recurrence.

Firewalls can prevent some of the more obvious attacks, but
a well-tuned NIDS could also recognize things like suspicious
outgoing connections and malicious web/ftp sites. Those are
kinds of attacks that the firewall paradigm isn't really
designed to handle well.

-- 
Stephen Samuel +1(604)876-0426                samuel () bcgreen com
                   http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
        the jewel within each person and bring it to life.


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------



-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists.  See for yourself what the buzz is about!
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------