Firewall Wizards mailing list archives
Re: When to do something about detected attacks (was Re: how to do...)
From: zen () trouble org (d)
Date: Wed, 15 Apr 1998 22:31:58 -0700
One of my biggest criticisms of IDS's, security scanners, and security programs in general is that they look for security problems, rather than gathering information and process it with a security mindset. TheI think this is a poor generalization.
Well, I don't ;-)
Security scanners don't necessarily "look for holes instead of valuable configuration information"; they tend to look for both.
I'm never mentioned configuration information, so I don't know who you're quoting here. I'm talking about *any* information. And I said in my experience; I'm not trying to map this assumption onto all things.
The problem here is that you can't always (or even usually) analyze general configuration information and accurately obtain a picture of which vulnerabilities are present.
Exactly my point. The data should be kept, however, so that if you ever *do* get the analysis down, that you don't have to go back (if it's even possible) and regather the stuff.
You can collect "general" information such as the network topology, operating systems of all the machines, and the services they run, and "process it from a security mindset" to say "suchandsuch a machine is probably vulnerable to this problem". The information you obtain from this type of analysis is probably going to be inaccurate.
Of course; we have a long way to go before we get anything that remotely gives us what we'll want, either now or later.
A valid criticism (and this may be the criticism you are making) against these types of systems is that they don't do enough analysis of the information they obtain and don't report the general information (rather than the specific low-level vulnerabilities) well enough. This is different from the question of whether the information is collected at all, though.
That wasn't my criticism, or point, at all. dan
Current thread:
- Re: When to do something about detected attacks (was Re: how to do...) d (Apr 15)
- Re: When to do something about detected attacks (was Re: how to do...) Sheila Or Bob (depends on who is writing0 (Apr 15)
- Re: When to do something about detected attacks (was Re: how to do...) Aleph One (Apr 16)
- Re: When to do something about detected attacks (was Re: how to do...) tqbf (Apr 16)
- Re: When to do something about detected attacks (was Re: how to do...) Jeff Sedayao (Apr 20)
- <Possible follow-ups>
- Re: When to do something about detected attacks (was Re: how to do...) d (Apr 16)
- Re: When to do something about detected attacks (was Re: how to do...) d (Apr 22)
- Re: When to do something about detected attacks (was Re: how to do...) Sheila Or Bob (depends on who is writing0 (Apr 15)