Re: Usefulness of Network Intrusion Detection Systems

[James Riden <j.riden () massey ac nz>]

Thomas <TheTom () UnixIsNot4Dummies ORG> writes:

> Network-based IDSs should be limited to attacks on the
> network layer not the application layer.
<snip>
> Maybe people are just doing it for fun or to suffice the
> marketing hype... I do not know.

Yeah, we just do it for fun :p

> Additionally companies do not care much about switches, routers
> or web-servers. Sure they got bad PR if it is compromised or
> turned off but there is no direct lost of money connected with it.

Apart from n hours of my time investigating and fixing the problem,
usually at overtime rates? Potential compromise of confidential data?
The cost of having staff sitting around while critical servers are
down?

The IDS I run is an integral part of the detection and response to
network threats. Of course I do as much as I can about prevention, but
on a large network where everyone wants to be relatively free, you
will have compromises and attempted attacks; especially from worms
such as Blaster, Welchia, Sasser and Slammer.

The IDS helped us avoid any network downtime due to Sasser and if the
network is down, the cost of having staff sitting idle mounts up very
quickly indeed.

It does take a lot of work to manage, but IMHO it's a lot better than
having no idea what's going on in your network.

-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.


---------------------------------------------------------------------------

---------------------------------------------------------------------------