RE: IDS and Spywares

["Omar A. Herrera" <omar.herrera () oissg org>]

Hi Frank,

> -----Original Message-----
> From: Frank Knobbe [mailto:frank () knobbe us]
> Sent: Saturday, October 15, 2005 9:26 AM
>
> > Same way IDS, HIDS, Antivirus all are protecting the
> > networks,hosts at different layers...Leaving the
> > Network administrators with least administrative
> > work...
>
> Well, it seems that they are all failing then, since spyware, worm, and
> viruses are still making their rounds! Airlines still suffer outages
> from Internet worms, as do car manufacturers (to name just a few recent
> high profile cases).
>
> And it seem we don't trust those added layers either since we're still
> nervous on every patch Tuesday with fears of worms to the announced
> vulnerabilities.
>
> As for leaving admins with admin work, that doesn't seem to be justified
> if they are spending more and more time administrating all those gadgets
> that are getting bolted on to protect the rotten cores, including
> applying patches to the security products which themselves are
> vulnerable to the same issues they are tying to prevent in the first
> place.
>
> Yeah, call me a purist and laugh at me for throwing up the caution flag
> every chance I get, but someone has to :)  If no one raises concerns
> about the industry getting out of control, then we might just believe
> that all is well and continue blissfully towards our doom.

Sorry for that Frank, I was too quick to answer and should have picked
better words (It was not my intention to offend or attach a label to you).
We all do understand your point. I just wanted to say that it is very
difficult to reach security with that approach (which is correct,
nonetheless) :-).

Now talking seriously, there exist products that implement security shells
within what we consider more insecure systems by design. Also, hIPSes with a
white lists approach tend to take this approach as well which is why defend
a lot these particular solutions. I agree that they are still patches since
the solution is not integrated within the operating system, where it should
be. But these kinds of patches tend to get us closer to the best technical
solutions available (that you pointed out).

As for your forecast, I personally believe that enough pressure is mounting
so that creators of those operating systems start implementing more
effective security solutions within the O.S, before we reach doom. But it
might still be too early to tell which one will be right, and I really hope
it is me :-)

Kind regards,

Omar Herrera


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------