Re: IDS testing methodologies

[James Riden <j.riden () massey ac nz>]

Alvin Oga <alvin.sec () Virtual Linux-Consulting com> writes:

> hi ya henrik
>
> > I'm trying to find out ways of testing different IDS systems; is there a
> > 'recommended'/best practise methodology for testing Network based IDS (NIDS)
> > ? Any information - papers, tools, links and own experience are much
> > appreciated,,, 8-)
>
> in my book ... ( small world ) .. an IDS is not very useful, because, the
> cracker is already in your network ... game over ...

Argh! No!

Sooner or later, an attacker will break in to your systems -
despite your best efforts. That's when you need an IDS, to track
what's happened and what you need to do to clean it up. (Reinstalling
5000+ machines simultaneously not being a feasible option.)

It can also help inform you of weaknesses in your firewall, e.g. if
you're seeing Slammer packets directed to your internal network
there's something up, or of attempted internal attacks. My copy of the
2003 Australian Computer Crime and Security Survey (thanks AusCERT)
says 45% of organisations which experienced attacks believe at least
one was from an internal source.

Bruce Schneier has something to say about investing all your efforts
in prevention instead of spreading them across prevention, detection
and response. Admittedly I believe he's now selling detection and
response services, but he has a very good point.

One of the best things I've done in my job so far was to put in an IDS
about a month before MSBlaster hit.

cheers,
 Jamie
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.


---------------------------------------------------------------------------
---------------------------------------------------------------------------