Re: Automated IDS response

[Paul Cardon <paul () moquijo com>]

"Marcus J. Ranum" wrote:
> Crumrine, Gary L wrote:
> > When IDS systems first hit the streets a couple of years ago, I think many
> > were caught up in all the GA-GA bells and whistles marketing hype that
> > accompanied their release.  After some time to evaluate the products and
> > adjust our thought processes on how they are implemented, I think we have
> > come full circle on their usefulness and I know we are a lot wiser in our
> > implementation.
>
> And it's about time, too. A lot of the early IDS' promised things
> that were patently ridiculous - kind of like the early generation
> of firewalls did. ("If you have a firewall, you don't need to worry
> about the security of the rest of your network...")  Now I think
> a lot of reality has set in. People have discovered that IDS is a
> useful tool if deployed correctly, and that it is valuable for
> learning what's going on inside and out of the network, but nobody
> expects that it'll somehow act like William Gibson-esque "ICE"
> and automatically "heal" a broken network or backtrack and destroy
> the bad guys.

For an IDS to be deployed correctly, it helps to know something about
the network to begin with.  The IDS is then valuable for learning MORE
about what's going on and iteratively and selectively adding that
knowledge to the IDS policy.  Customers thought they could just buy it
and plug it in.  I have seen too many useless IDS implementations that
occur because there isn't enough initial clue to get the feedback loop
rolling and keep it rolling.  Of course, the better IDS consultants are
certainly staying busy these days...

-paul