IDS mailing list archives
Re: Recent anti-NIDS Gartner article
From: Stephen Samuel <samuel () bcgreen com>
Date: Wed, 18 Jun 2003 14:12:14 -0700
Srinivasa Rao Addepalli wrote:
IDSes which sniff or tap of the network, have several disadvantages
.....
- Need expensive hardware for good performance and detection rate. Due to this, these might not survive in SOHO and SME market segments.
.....
market segment. Today, IDSes can be configured to inform Firewall, but I don't think anybody seriously thinks that this solves all the problems. Having protection capability within the IDS provides more control or accurate protection.
An inline IDS is going to have (almost) all of the requirements of a passive one with the *addition* of having to foreward (and filter) packets. Unless you cut the detection functionality, I can't see how this is going to lessen the hardware requirements. Also: once you have your IDS inline and blocking packets, it's (IMHO) now an IPS -- even if it's still reporting suspicious traffic that it's not actingo on (IPS with IDS extensions). (( Now, of course, within my definition, an IDS reporting aggregiously nasty traffic to a firewall which then drops the offending connection would classify (as a system) as an IPS capability -- but that would apply to the cluster and not to the IDS itself just because it's reports are being responded to in an automated manner. )) One of the nice things about a sniffing-only IDS is that it is essentially invisible to the network. Unless you can direct a packet directly at the IDS, there should be no way for an attacker to notice it there (security by obscurity). -- Stephen Samuel +1(604)876-0426 samuel () bcgreen com http://www.bcgreen.com/~samuel/ Powerful committed communication. Transformation touching the jewel within each person and bring it to life. -------------------------------------------------------------------------------Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------
Current thread:
- RE: Recent anti-NIDS Gartner article, (continued)
- RE: Recent anti-NIDS Gartner article Mike Blomgren (Jun 17)
- Re: Recent anti-NIDS Gartner article Stephen Samuel (Jun 18)
- Re: Recent anti-NIDS Gartner article nyec (Jun 17)
- Re: Recent anti-NIDS Gartner article Stephen P. Berry (Jun 18)
- RE: Recent anti-NIDS Gartner article Reverman, Peter C (Jun 17)
- RE: Recent anti-NIDS Gartner article - BruteForce Security Robert J. Mehler (Jun 17)
- Recent anti-NIDS Gartner article Srinivasa Rao Addepalli (Jun 18)
- RE: Recent anti-NIDS Gartner article Jim Butterworth (Jun 18)
- Re: Recent anti-NIDS Gartner article Michael Sierchio (Jun 18)
- RE: Recent anti-NIDS Gartner article - BruteForce Security Robert J. Mehler (Jun 17)
- Re: Recent anti-NIDS Gartner article Srinivasa Rao Addepalli (Jun 18)
- Re: Recent anti-NIDS Gartner article Stephen Samuel (Jun 19)
- Re: Recent anti-NIDS Gartner article Srinivasa Rao Addepalli (Jun 22)
- RE: Recent anti-NIDS Gartner article Jim Butterworth (Jun 19)
- Re: Recent anti-NIDS Gartner article Stephen Samuel (Jun 19)
- RE: Recent anti-NIDS Gartner article Hall, Andrew (DPRS) (Jun 19)
- RE: Recent anti-NIDS Gartner article Paul Benedek (Jun 22)
- Re: Recent anti-NIDS Gartner article Richard Ginski (Jun 19)
- RE: Recent anti-NIDS Gartner article Mike Blomgren (Jun 17)