IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Recent anti-NIDS Gartner article

From: Stephen Samuel <samuel () bcgreen com>
Date: Wed, 18 Jun 2003 14:12:14 -0700
Srinivasa Rao Addepalli wrote:

IDSes which sniff or tap of the network, have several disadvantages

.....

-  Need expensive hardware for good performance and detection rate.
Due to this, these might not survive in SOHO and SME market segments.

.....

market segment. Today, IDSes can be configured to inform Firewall, but
I don't think anybody seriously thinks that this solves all the problems.
Having protection capability within the IDS provides more control or
accurate protection.


An inline IDS is going to have (almost) all of the requirements
of a passive one with the *addition* of having to foreward (and
filter) packets. Unless you cut the detection functionality, I
can't see how this is going to lessen the hardware requirements.

Also: once you have your IDS inline and blocking packets, it's
(IMHO) now an IPS -- even if it's still reporting suspicious
traffic that it's not actingo on (IPS with IDS extensions).

((
 Now, of course, within my definition, an IDS reporting
 aggregiously nasty traffic to a firewall which then drops
 the offending connection would classify (as a system) as
 an IPS capability -- but that would apply to the cluster
 and not to the IDS itself just because it's reports are
 being responded to in an automated manner.
))

One of the nice things about a sniffing-only IDS is that it
is essentially invisible to the network. Unless you can
direct a packet directly at the IDS, there should be no
way for an attacker to notice it there (security by
obscurity).

--
Stephen Samuel +1(604)876-0426                samuel () bcgreen com
                   http://www.bcgreen.com/~samuel/
   Powerful committed communication. Transformation touching
       the jewel within each person and bring it to life.


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com 
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: