Full Disclosure mailing list archives
Re: Suggestion for IDS
From: "J. Oquendo" <sil () infiltrated net>
Date: Wed, 28 Sep 2005 07:01:34 -0400 (EDT)
On Wed, 28 Sep 2005 Valdis.Kletnieks () vt edu wrote: In a nutshell I would go with Sentivist. http://www.nfr.com/solutions/download/HotPick-IPS-Review.pdf For brief summaries of some other products: http://www.networkintrusion.co.uk/inline.htm
All depends on the inbound packet rate, how fast the IDS is, and how much RAM you're willing to buy. Just remember that a sufficiently long queue is in itself a denial of service... ;)
A possible even worse threat is an out of sync admin :O
Just remember to configure the thing sensibly - it's amazing how many people manage to shoot themselves in the foot, and find out the hard way that yes, Virginia, there ARE people out there that will forge packets with the source IP address of the victim's nameserver... ;)
Many IPS' whether it's a HIP or NIP have (or at least should have) capabilities of assessing "0-day" threats and generating rules off of them. Even for those *PS products that do, those same "out of sync" admins will get lost in the sauce no matter what they buy. Personally I think it becomes the job of the admin to assess threats and stay in tune with what's going on in the industry. Keep up to date with any new threats and step it up from there. "THAT" however becomes a bump in the road since too many admins are lazy.
It's *very* important to talk about definitions - there's waaay too many people who buy an IDS and think that by hooking it to the net, it magically becomes an IPS.
Way too many people also have become accustomed to dropping dollars on the table of INSERT_CORP_HERE thinking they can buy an all inclusive security solution only to find that it failed.
An equally great number buy some IPS or other, and find out the hard way that they don't block a 0-day or a new worm.....
I'd say from my own experience that someone WITH experience can craft their own IPS of an IDS and call it a day saving money for their company and possibly creating something equal if not better to some products. On my little network at work I've managed to substitute many products and appliances for what's freely available on the open source scene with some carefull thought out and diagrammed programs that I audit pretty much daily. There's nothing better for me to be able to modify something too my needs then it is to sit and wait until vendor_x's next release because they didn't implement something. It's also better for me to be able to add a line or two based on some thread of a new attack as opposed to sitting around and waiting for vendor_x to verify if something is a threat or not. While I do agree with the statement made "Quite frankly, anybody who already has a PIX installed and wants to install an IPS needs to quantify *exactly* what protection the PIX is failing to provide before they go shopping for anything" to a degree, I also disagree with that statement since it eludes to the thinking that solely a PIX will save your ass. It won't, nor will any other firewall, nor will any other product combined with any OTHER product and so on. /* REDUNDANT COMMENT */ "You are the weakest link..." People fail miserably. Products can only do what they're told but no matter how many acronymed buzzwords you want to throw around "Super Hip Intelligent Threading", it's still SHIT unless you have the ability do use your own common sense, experience knowledge, etc. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x97B43D89 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89 "Just one more time for the sake of sanity tell me why explain the gravity that drove you to this..." Assemblage _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Suggestion for IDS, (continued)
- Re: Suggestion for IDS Joel Esler (Sep 28)
- Re: Suggestion for IDS Michael Holstein (Sep 28)
- Re: Suggestion for IDS Reto Inversini (Sep 28)
- RE: Suggestion for IDS Randall M (Sep 29)
- Re: Suggestion for IDS Paul Schmehl (Sep 28)
- Re: Suggestion for IDS Kevin Pawloski (Sep 28)
- Re: Suggestion for IDS Lew Wolfgang (Sep 28)
- IDS features (was: Suggestion for IDS) Alejandro Barrera (Sep 28)
- Re: IDS features (was: Suggestion for IDS) Kevin Pawloski (Sep 28)
- Re: Suggestion for IDS Kevin Pawloski (Sep 28)
- Re: Suggestion for IDS Paul Schmehl (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
- Re: Suggestion for IDS Paul Schmehl (Sep 28)
- Re: Suggestion for IDS Michael Holstein (Sep 28)
- Re: Suggestion for IDS Paul S. Brown (Sep 28)
- Re: Suggestion for IDS Michael Holstein (Sep 28)
- Re: Suggestion for IDS Paul S. Brown (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
- Re: Suggestion for IDS Michael Holstein (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)