RE: The usefullness of IDSes (Was: Re: Is Marty Lying?)

[Cedric Blancher <blancher () cartel-securite fr>]

Le mar 23/09/2003 à 10:01, Philippe Bogaerts a écrit :
> I totally agree.  An IDS for auditing firewall or other policies can be
> usefull, if properly configured.

Agree.
In conjunction with a conventional audit or open pentest, a well
configured IDS framework can point where security policy is broken.

> I simple hate the fact that most vendors
> position their IDS product as an attack blocking device. The only thing they
> can is actually RST tcp connections (sometimes).  My opnion is that is quite
> a simple and basic method for doing attack blocking.

It is a simple and basic one, but sometimes ineffective. Juste think of
Slamer that uses a single UDP packet to replicate. Even if your IDS can
detect this, it is already to late.

The thing I really hate is IDs vendors that come to you with a "my IDS
can do all the blocking stuff for you". I went to an IDS demo with an
old badly configured FW1 firewall, a IIS 4 webserver and a root'o'matic
WuFTPd. First part, cracker can go through and root everything. Second
part, I plug my IDS sensors, enable FW1 plugin, and see, all attackes
are blocked ! You're now secure. I hate this. I really do (and people
from this IDS vendors seems to hate me as well now ;)).

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html