Re: IDS alerts / second - Correlation - Virtualization

[william taft <willtaft () gmail com>]

On 7/26/05, Swift, David <dswift () ipolicynetworks com> wrote:
> And how would you propose to block something you can't detect?
>
> IPS actions are always on patterns of data, either packet level, or
> based on anomalous behavior (statistical, historical, protocol...).
>
> To argue otherwise is incomprehensible.

why -not- block something you can't understand?  why are we giving up
on using tools other than firwewalls/IPS (i prefer 'layer 7 firewall'
to 'ips')?  handshaking does exist beyond TCP...applications,
authentication protocols, etc. all have 'handshakes'.  if you
authorize enough basic application traffic (i'll bet most of us use
only a handful of applications anyway), i think you'll probably close
many gaps.  IPS/layer7 firewall isn't the answer, but something must
be out there for this purpose.

On 7/26/05, Swift, David <dswift () ipolicynetworks com> continues:
> RDP is an allowed protocol to Windows. A Null Session is perfectly
> legitimate to Windows operating system.  CAT /ETC/PASSWD is a
> perfectly valid Unix command.

you've lost me here...are you saying that just to jam a square
technology into a round role?  you'd allow any access to /etc/passwd
from the outside into your DMZ?  from a non-administrative workstation
to a server?  i wouldn't.  why not block traffic you're not supposed
to see?  yes, block requests to /etc/passwd (and other naughty
actions) across all ports from the outside world into your dmz.  why
wouldn't you?

/will

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------