Firewall Wizards mailing list archives
Re: Automated IDS response
From: Paul Cardon <paul () moquijo com>
Date: Wed, 16 Feb 2000 21:39:13 -0500
"Marcus J. Ranum" wrote:
Crumrine, Gary L wrote:When IDS systems first hit the streets a couple of years ago, I think many were caught up in all the GA-GA bells and whistles marketing hype that accompanied their release. After some time to evaluate the products and adjust our thought processes on how they are implemented, I think we have come full circle on their usefulness and I know we are a lot wiser in our implementation.And it's about time, too. A lot of the early IDS' promised things that were patently ridiculous - kind of like the early generation of firewalls did. ("If you have a firewall, you don't need to worry about the security of the rest of your network...") Now I think a lot of reality has set in. People have discovered that IDS is a useful tool if deployed correctly, and that it is valuable for learning what's going on inside and out of the network, but nobody expects that it'll somehow act like William Gibson-esque "ICE" and automatically "heal" a broken network or backtrack and destroy the bad guys.
For an IDS to be deployed correctly, it helps to know something about the network to begin with. The IDS is then valuable for learning MORE about what's going on and iteratively and selectively adding that knowledge to the IDS policy. Customers thought they could just buy it and plug it in. I have seen too many useless IDS implementations that occur because there isn't enough initial clue to get the feedback loop rolling and keep it rolling. Of course, the better IDS consultants are certainly staying busy these days... -paul
Current thread:
- Automated IDS response Michael B. Rash (Feb 11)
- <Possible follow-ups>
- RE: Automated IDS response Kopf , Patrick E. (Feb 12)
- Re: Automated IDS response Michael H. Warfield (Feb 14)
- Re: Automated IDS response Michael B. Rash (Feb 14)
- Re: Automated IDS response Andy (Feb 14)
- Re: Automated IDS response Lance Spitzner (Feb 15)
- Re: Automated IDS response Michael H. Warfield (Feb 14)
- RE: Automated IDS response Robert Graham (Feb 14)
- RE: Automated IDS response Crumrine, Gary L (Feb 15)
- RE: Automated IDS response Marcus J. Ranum (Feb 15)
- Re: Automated IDS response Paul Cardon (Feb 17)
- RE: Automated IDS response Robert Graham (Feb 15)
- RE: Automated IDS response Russ Wolfe (Feb 16)
- RE: Automated IDS response ark (Feb 17)