IDS mailing list archives

RE: IDS is dead, etc

From: "Security Conscious" <mail () security-conscious com>
Date: Mon, 11 Aug 2003 12:56:23 -0400

Imho, a perfectly implemented firewall is one that optimally enforces
the access control policy of the organization.  Unfortunately many
companies access control policies require allowing insecure and/or
potentially vulnerable protocols into the network for e-commerce, office
productivity, etc.  I don't see this changing anytime soon.  

How does this relate to IDS is Dead?  When companies open themselves up
to risk, they should audit what they cannot control (prevent).  I look
at IDS as an extension of the audit function and when the SEC stops
requiring companies to audit their financial statements, I'll believe IT
can stop auditing their networks and systems.

Chris Petersen
President/CTO
Security Conscious, Inc.
(703) 873-4739 (direct)
(301) 523-1989 (mobile)
chris () security-conscious com
www.security-conscious.com

-----Original Message-----
From: Scott Wimer [mailto:scottw () cylant com] 
Sent: Friday, August 08, 2003 2:15 PM
To: Bennett Todd
Cc: Barry Fitzgerald; Tom Arseneault; 'Mark Tinberg'; 'Paul 
Schmehl'; focus-ids () securityfocus com
Subject: Re: IDS is dead, etc


Bennet,

Here's the quote about perfecty implemented firewalls that I think is 
germain.  Hopefully I'm not taking it out of context:
      "A perfectly implemented firewall allows no protocols
      through for which there are vulnerable implementations
      inside. That means it's impossible to implement a
      perfect firewall if you're going to allow Windows
      users to have internet access."

I may very well be putting words in your mouth (for which I 
appologize) when I write about the silliness of expecting that any 
protocol will be implemented vulnerability free -- on any platform.

Bennett Todd wrote:

I've heard of one device that I can believe can alert on a

heretofore

totally unknown exploit. Not all of 'em, of course, but

some. That's

Mazu Networks's enforcer/profiler gizmos. I myself wouldn't

call 'em

an IDS, I think they're something different, much more

valuable, and

their IDS functionality is the smallest part of what

they're good at.

To my tastes, their host classification and "what-if" modelling are 
the really hot capabilities. If they were as affordable as an IDS, 
then I think they'd help bolster your claim, but they really are 
something else and different.


After a brief review of Mazu's Profiler and Enforcer docs, I'm 
currious how it handles attacks that come in via encrypted means.

I'm not convinced that a NIDS can be more than a network management 
tool.  With the caveat for things like floods of various types.  From 
what I've seen, to detect and respond to all categories of 
exploits in 
a timely manner requires some sort of defense mechanism implemnted at 
the host.  This prejudice may come from the work we do on host based 
IPS systems though.  But, it's the only way I've seen to 
reliably stop 
exploits whether they are previously known or not.

Regards,
scottwimer
-- 
Scott M. Wimer, CTO                      Cylant
www.cylant.com                           121 Sweet Ave.
v. (208) 883-4892                        Suite 123
c. (208) 301-0370                        Moscow, ID 83843
There is no Security without Control.


--------------------------------------------------------------
-------------
Captus Networks - Integrated Intrusion Prevention and Traffic 
Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical 
Applications Precisely Define and Implement Network Security 
and Performance Policies **FREE Vulnerability Assessment 
Toolkit - WhitePapers - Live Demo Visit us at: 
http://www.captusnetworks.com/ads/31.htm

--------------------------------------------------------------
-------------



---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

Current thread:

Re: IDS is dead, etc, (continued)
- - Re: IDS is dead, etc Sebastian Schneider (Aug 07)
  - Re: IDS is dead, etc Barry Fitzgerald (Aug 07)
    - Re: IDS is dead, etc Bennett Todd (Aug 08)
    - Re: IDS is dead, etc Sam f. Stover (Aug 11)
    - Re: IDS is dead, etc Scott Wimer (Aug 11)
    - Re: IDS is dead, etc Bennett Todd (Aug 11)
    - Re: IDS is dead, etc Scott Wimer (Aug 11)
    - Re: IDS is dead, etc Bennett Todd (Aug 11)
    - Re: IDS is dead, etc Scott Wimer (Aug 11)
    - Re: IDS is dead, etc Bennett Todd (Aug 11)
    - RE: IDS is dead, etc Security Conscious (Aug 11)
    - Re: IDS is dead, etc Jason Haar (Aug 11)
    - Re: IDS is dead, etc Frank Knobbe (Aug 11)
    - RE: IDS is dead, etc Bob Buel (Aug 11)
    - Re: IDS is dead, etc Barry Fitzgerald (Aug 11)
    - Belaboring the point of FPs Paul Schmehl (Aug 12)
    - Re: Belaboring the point of FPs Martin Roesch (Aug 13)
    - Message not available
    - Off-Topic: perfect firewall (was Re: IDS is dead, etc) Bennett Todd (Aug 11)
- RE: IDS is dead, etc JAVIER OTERO (Aug 12)
  - RE: IDS is dead, etc Omar Herrera (Aug 13)
    - Re: IDS is dead, etc Jonathan Rickman (Aug 15)

(Thread continues...)