IDS mailing list archives
RE: Usefulness of Network Intrusion Detection Systems
From: "Rob Shein" <shoten () starpower net>
Date: Fri, 28 May 2004 12:55:43 -0400
Comments inline.
-----Original Message----- From: Thomas [mailto:TheTom () UnixIsNot4Dummies ORG] Sent: Thursday, May 27, 2004 3:24 AM To: focus-ids () securityfocus com Subject: Re: Usefulness of Network Intrusion Detection SystemsAdditionally companies do not care much about switches,routers orweb-servers. Sure they got bad PR if it is compromised orturned offbut there is no direct lost of money connected with it.Apart from n hours of my time investigating and fixing the problem, usually at overtime rates? Potential compromise ofconfidential data?The cost of having staff sitting around while critical servers are down?No problem, the staff is already there and paid. :)
Yeah, but what about the cost of replacing them when they quit, because they're constantly working overtime without being compensated for it? Thinking they'll be indifferent about it is a rather pointy-haired attitude, I feel. And that's the security/IT staff; what about the rest of the company, sitting idle and unproductive while being paid?
The IDS I run is an integral part of the detection and response to network threats. Of course I do as much as I can aboutprevention, buton a large network where everyone wants to be relatively free, you will have compromises and attempted attacks; especially from worms such as Blaster, Welchia, Sasser and Slammer.You talk about "attempted attacks". Information about several hundered unsuccessful attacks from a worm is no information just noise.
What if it's a worm-infected host on your network? At that point, even if every other single machine (I'm thinking Sasser here) is patched, the attacks are unsuccessful, but it sure would be nice to be able to detect, identify and find the system in question. For us, IDS was hugely helpful in cleaning up, and in determining how Sasser got onto our back network to begin with.
The IDS helped us avoid any network downtime due to Sasserand if thenetwork is down, the cost of having staff sitting idlemounts up veryquickly indeed. It does take a lot of work to manage, but IMHO it's a lotbetter thanhaving no idea what's going on in your network.Yes, that is right. And I see the value of network based IDS. I don't say they are not useful but there use should be limited to an area they belong to. The network, not the applications nor the operating system in general.
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Usefulness of Network Intrusion Detection Systems Thomas (May 25)
- Re: Usefulness of Network Intrusion Detection Systems Gary Flynn (May 26)
- Re: Usefulness of Network Intrusion Detection Systems Thomas (May 27)
- Re: Usefulness of Network Intrusion Detection Systems James Riden (May 26)
- Re: Usefulness of Network Intrusion Detection Systems Thomas (May 27)
- Re: Usefulness of Network Intrusion Detection Systems James Riden (May 28)
- RE: Usefulness of Network Intrusion Detection Systems Rob Shein (May 28)
- Re: Usefulness of Network Intrusion Detection Systems Thomas (May 27)
- Re: Usefulness of Network Intrusion Detection Systems James Fields (May 28)
- Re: Usefulness of Network Intrusion Detection Systems Thomas (May 28)
- Re: Usefulness of Network Intrusion Detection Systems Gary Flynn (May 26)