Re: Usefulness of Network Intrusion Detection Systems

[Thomas <TheTom () UnixIsNot4Dummies ORG>]

> > Additionally companies do not care much about switches, routers
> > or web-servers. Sure they got bad PR if it is compromised or
> > turned off but there is no direct lost of money connected with it.
>
> Apart from n hours of my time investigating and fixing the problem,
> usually at overtime rates? Potential compromise of confidential data?
> The cost of having staff sitting around while critical servers are
> down?

No problem, the staff is already there and paid. :)


> The IDS I run is an integral part of the detection and response to
> network threats. Of course I do as much as I can about prevention, but
> on a large network where everyone wants to be relatively free, you
> will have compromises and attempted attacks; especially from worms
> such as Blaster, Welchia, Sasser and Slammer.

You talk about "attempted attacks". Information about several hundered
unsuccessful attacks from a worm is no information just noise.


> The IDS helped us avoid any network downtime due to Sasser and if the
> network is down, the cost of having staff sitting idle mounts up very
> quickly indeed.
>
> It does take a lot of work to manage, but IMHO it's a lot better than
> having no idea what's going on in your network.

Yes, that is right. And I see the value of network based IDS.
I don't say they are not useful but there use should be limited
to an area they belong to. The network, not the applications nor
the operating system in general.

Greeting,
Thomas





---------------------------------------------------------------------------

---------------------------------------------------------------------------