Re: Intrusion Detection

[darrenr () reed wattle id au]

In some email I received from Gary Crumrine, sie wrote:
[...]
>  Unfortunately, IDS systems seem to be the hot ticket these days.  Forensic 
> tools are not, and will not be in my opinion until the legal system has had 
> more time to establish legal precidence.  Business owners looking for tools 
> these days are going to ask one very important question.  What value is 
> added with an IDS versus NFR.  I can clearly demonstrate what an IDS gives 
> me, teh NFR concept is not so clear.

I think viewing the NFR as an IDS product (only) is taking a too narrow view
of what NFR is.

Yes, you can make an IDS with NFR, but NFR isn't limited to being an IDS.

NFR is aimed at providing you information about what's going on around your
network.  What you do with that information and how you collect/process it
with NFR is up to you.

An IDS, on the other hand, fits the same model as the firewall: it's built
to detect *known* metrics and "do things" based on some sort of rule base.
If something happens which it hasn't been programmed to recognise, there's
a good chance it will just be ignored as being part of the "regular flow
of irregular traffic".

I think a lot of what the product is aimed at being can be gleaned from the
name "NFR" - "Network Flight Recorder".  Whether it's `there' yet, I don't
know - ask Marcus :)  But, wouldn't it be an advantage to be able to "roll
back" some log and be able to trace what happened on your network at time X
when host Y was involved with hosts A and B in doing C ?  Whether it is a
breakin attempt or someone attempting to surf XXX rated sites, should be
of no consequence - hopefully enough information is being recorded to show
who/what/where/why 24 hours or more later.

Darren