IDS mailing list archives
RE: need help
From: "Bill Royds" <broyds () rogers com>
Date: Mon, 9 Aug 2004 13:33:13 -0400
An IDS is an alarm system. Like all alarm systems, it should be part of a security response plan, not just something isolated as a separate bell hanging on your computer installation. The main challenge in IDS, then, is integrating it with the rest of your security and IT systems so that is reflects the actual needs of your whole policy and is not just a source of false alarms that lose people's sleep but do not actually add to security. This is why many modern IDS products are integrated with firewalls, network management systems, etc. They need to have knowledge of what is legitimate traffic on your system and what is traffic that a threat. This tuning is best done by properly trained people, so their availability is one of the problems. The tuning can also be done by "smart" IDS programs that can analyze server and network configurations and build up a map of legitimate usage. Such systems can learn that you don't run an Unix software in your network, so that attacks on Unix systems are to be noted, but not alarmed. They also can note that you run other software, to be able to tune their alarms to the particular versions and patch levels of your software. This helps in many cases to improve your IDS sensitivity so that there are fewer false alarms. But their still needs to be people who can respond to the legitimate alarms in the appropriate manner. Even the best IDS can only respond in ways in which it is programmed. Handling the situation to prevent problems still requires management and policy. An IDS that alarms when it finds a Trojan on a workstation trying to send corporate information to somewhere in the Ukraine can't stop the user from clicking on the web site that installed it without corporate policy and proper system management preventing this in the first place. -----Original Message----- From: Gudumba Raj MSc [mailto:nag_theindian () yahoo com] Sent: Friday, August 06, 2004 11:07 AM To: focus-ids () securityfocus com Subject: need help Hello, I am on the way to analyze the present IDS products like Cisco, NFR, Juniper, Symantec, Triwire IDS products. But testing isnt my job. But I would like to know what kinds of problems the present IDS products facing. I have to address some of the challenges that the IDS world is facing. Could you please help me. Thanks in advance. ===== ############## Gudumba Raj(Naga Raj Peddisetty) BjornkarrsGatan 11 c 33, Linkoping, SE-58436. Fixed: +46-13-4731134, GSM: +46-731-521053. __________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- need help Naga Raju Peddisetty (Aug 09)
- <Possible follow-ups>
- need help Gudumba Raj MSc (Aug 09)
- RE: need help Bill Royds (Aug 09)
- Re: need help tcp fin (Aug 10)
- Re: need help Stefano Zanero (Aug 11)
- Re: need help tcp fin (Aug 16)
- RE: need help Javier Otero De Alba (Aug 09)