Re: IDS is dead, etc

[Bennett Todd <bet () rahul net>]

2003-08-08T13:24:46 Scott Wimer:
> I think we are on the same page as to the utility of IDS systems.

Agreed.

> Where we differ is in our estimation of the level of vulnerability of 
> software that is "known" to be good and secure.

I'm not convinced this is true. I feel that you're putting words in
my mouth. Unless I'm misunderstanding you, you seem to be responding
to a claim that one can have perfectly secure software. I've not
made such a claim, and will stand beside you refuting it. Perhaps
once again my poor choice of words in that initial statement
"perfect firewall" is biting me.

> The number of systems that are backdoored -- today, and the number
> of non-public vulnerabilities and exploits is slightly disturbing.

Sure --- but unless the black hats are the folks selling the IDSe,
the IDSes won't catch these secret exploits anyway.

> Although, some will argue that the more behavioral oriented NIDS
> have moved past that point.

I've heard of one device that I can believe can alert on a
heretofore totally unknown exploit. Not all of 'em, of course, but
some. That's Mazu Networks's enforcer/profiler gizmos. I myself
wouldn't call 'em an IDS, I think they're something different, much
more valuable, and their IDS functionality is the smallest part of
what they're good at. To my tastes, their host classification and
"what-if" modelling are the really hot capabilities. If they were as
affordable as an IDS, then I think they'd help bolster your claim,
but they really are something else and different.

IDSes detect known exploits, and sometimes heretofore unknown
exploits of clearly known and understood vulnerabilities.

-Bennett

Attachment: _bin
Description: