Firewall Wizards mailing list archives
Re: When to do something about detected attacks (was Re: how to do...)
From: tqbf () secnet com
Date: Thu, 16 Apr 1998 00:15:31 -0500 (CDT)
One of my biggest criticisms of IDS's, security scanners, and security programs in general is that they look for security problems, rather than gathering information and process it with a security mindset. The
I think this is a poor generalization. Security scanners don't necessarily "look for holes instead of valuable configuration information"; they tend to look for both. The problem here is that you can't always (or even usually) analyze general configuration information and accurately obtain a picture of which vulnerabilities are present. You can collect "general" information such as the network topology, operating systems of all the machines, and the services they run, and "process it from a security mindset" to say "suchandsuch a machine is probably vulnerable to this problem". The information you obtain from this type of analysis is probably going to be inaccurate. The need for accurate results is what drives tools like misuse detectors and security scanners to look for known patterns of abuse or vulnerability (respectively). A valid criticism (and this may be the criticism you are making) against these types of systems is that they don't do enough analysis of the information they obtain and don't report the general information (rather than the specific low-level vulnerabilities) well enough. This is different from the question of whether the information is collected at all, though. ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"
Current thread:
- Re: When to do something about detected attacks (was Re: how to do...) d (Apr 15)
- Re: When to do something about detected attacks (was Re: how to do...) Sheila Or Bob (depends on who is writing0 (Apr 15)
- Re: When to do something about detected attacks (was Re: how to do...) Aleph One (Apr 16)
- Re: When to do something about detected attacks (was Re: how to do...) tqbf (Apr 16)
- Re: When to do something about detected attacks (was Re: how to do...) Jeff Sedayao (Apr 20)
- <Possible follow-ups>
- Re: When to do something about detected attacks (was Re: how to do...) d (Apr 16)
- Re: When to do something about detected attacks (was Re: how to do...) d (Apr 22)
- Re: When to do something about detected attacks (was Re: how to do...) Sheila Or Bob (depends on who is writing0 (Apr 15)