Firewall Wizards mailing list archives
Re: The value of detecting neutralized threats. (was RE: IDS bla
From: Joe LoBianco <joe_lobianco () securecomputing com>
Date: Fri, 29 Jan 1999 00:25:19 -0500
In any case, I think the crux of the matter is that security involves applied theory, subject to financial, personal, and political constraints. Thus, a generic consensus on what is an appropriate threshold for intrusion detection is neither productive nor necessary. As has been pointed out, it is even
more
pointless to attempt to divide organizations across arbitrary lines
(government,
military, corporate, educational), as the needs of users within large organizations or sectors are disparate enough that a canned solution will
serve
no single entity well. Obviously, you have to know the client well enough to generate solutions that fit his needs and budgets; it's part of the job.
I think Vik has hit the nail on the head. Security professionals has been preaching for some time that no one security solution will be suitable for every organization, and for large organizations needs will vary within the organization itself. For this reason it would be silly to attempt to come to an agreement on the *best* way to do IDS. On another note... Having listened to the debate on the value of external or DMZ based IDS, I was struck by the fact that no one (to my knowledge) has pointed out the traffic that the external IDS will not catch, but that the internal one will. Namely, attacks that originate from the internal, trusted network. We all know that a large amount of unauthorized access comes from the inside, so shouldn't this play a role? If 50% (or whatever) of the attacks come from the inside, that makes the external IDS useless in detecting half of the attempts. Surely this must play a role in deciding how much time/money is spent on external IDS, right? Can someone comment on the relative difficulty of detecting internal attacks? I would imagine in some ways it must be more difficult (more subtle break-ins), yet easier in other ways (tracking down the individual). P.S. Maybe this discussion should be taken to another list? I imagine there are those who want to read about firewalls but *not* about IDS! ----- Joe LoBianco, CISSP Network Security Specialist Secure Computing Corporation joe_lobianco () securecomputing com Phone: +1.416.815.3038 Fax: +1.416.815.3001
Current thread:
- The value of detecting neutralized threats. (was RE: IDS blah blah) John Kozubik (Jan 26)
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) Dominique Brezinski (Jan 27)
- Re: The value of detecting neutralized threats. (was RE: IDS bla Vik Bajaj (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS bla Dominique Brezinski (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS bla Joe LoBianco (Jan 29)
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) David LeBlanc (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS bla Vik Bajaj (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) David Gillett (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) Dominique Brezinski (Jan 27)