IDS mailing list archives
Re: Rather funny; looks like page defacement to me
From: Callan K L Tham <miburo () singnet com sg>
Date: Sun, 15 Jun 2003 12:02:02 +0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 14 June 2003 03:48, broyds () rogers com wrote:
In general, they are perfectly correct. Most IDS installations are very expensive packet sniffers because most installations know so little about their enterprise network that they are unable to tune it in any meaningful way or design and place the sensors to monitor meaningful traffic. I am not saying the IDS are always useless, but they are most useful as part of a well designed network that partitions traffic so that there is a good baseline understanding of what traffic should appear on each segment.
It's interesting that you say that. I would think the point you're making here is "The admin doesn't know what's going on in his network to monitor traffic properly to properly make use of IDS. Most networks are badly designed in the first place to take advantage of IDS capabilities." In that case the problem lies with the people who designed it and the competence of the admin they hired; remember, you pay peanuts, you get monkeys. A competent network admin _must_ know what his traffic looks like. That's why he gets paid. If he doesn't no amount of firewalls, IDS, IPS, etc will save his butt. I think these analysts are out for publicity; they simply don't make sense.
Interestingly, they denigrate Intrusion Prevention Systems and hail firewalls, when an IPS is really a firewall with dynamically generated rule set. Most of use would agree that an internal office network requires a firewall between it and the Internet. The firewall normally only has a static rule set that basically only guarantees that TCP virtual circuits have correct TCP semantics and , for application gateways, that the traffic follows the protocol RFC. Most attacks these days are not at the layer 2/layer 3 level guarded by a firewall, but at layer 7 or above, using the fact that Application protocols like HTTP, FTP, SMTP etc. have enough holes in them that a perfectly standards conforming stream can be used to attack a host at the end of the stream.
Agreed; I believe IPS would be a good next step for companies already with IDS installed.
Most IDS are still installed by people who don't even understand TP/IP, let alone HTTP, or the proprietary stuff coming from Real Networks or Microsoft. How are they going to properly tune an IDS to avoid wasting a lot of time and effort on false positives or, conversely, ignoring everything so the IDS has no teeth. So most IDS systems are a waste of money. They may be useful if they are installed by a MSSP who actually understands security, but not by the average sysadmin handed another box and told to install the IDS because the auditors say we need one.
I agree that the average sysadmin might not be able to handle an IDS straight off. But an admin who don't understand TCP/IP? Why does he even have a job? Oh wait...that explains the countless amount of codereds and nimdas and sadminds I see _every_ day.... If the arguments are admin incompetence and poorly-designed networks, then they do not hold water. A company who doesn't care about it's IT infrastructure deserves to be cracked; and admin who doesn't know TCP/IP (I got a good laugh from that) should be paraded on the streets and flogged. Just my lack-of-caffeine $0.02...just got outta bed... Callan - -- "I disapprove of what you say, but I will defend to the death your right to say it." - Beatrice Hall Registered Linux User #311796 ICQ UIN: 1926211 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+6++7nyMhcbScbQYRAirOAJ4h5ClqEe08clgluj6UuunKhbqkUgCfUh5F C8m8DPYaKYeIVQLcwp/73kQ= =/4EQ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Re: Rather funny; looks like page defacement to me, (continued)
- Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 17)
- Re: Rather funny; looks like page defacement to me George W. Capehart (Jun 17)
- Gartner comments (was Re: Rather funny; looks like page defacement to me) Randy Taylor (Jun 17)
- Re: Rather funny; looks like page defacement to me broyds (Jun 14)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Mike Lyman (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Jim Butterworth (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Angel Rivera (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Mike Lyman (Jun 17)
- RE: Rather funny; looks like page defacement to me Roger A. Grimes (Jun 17)
- Re: Rather funny; looks like page defacement to me Bill Royds (Jun 17)
- RE: Rather funny; looks like page defacement to me Roger A. Grimes (Jun 17)
- Re: Rather funny; looks like page defacement to me Callan K L Tham (Jun 17)
- Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 17)
- Re: Rather funny; looks like page defacement to me Bill Royds (Jun 18)
- Re: Rather funny; looks like page defacement to me Callan K L Tham (Jun 18)