IDS mailing list archives
Re: Is IDS/IPS worthless?
From: "SecurIT Informatique Inc." <securit () iquebec com>
Date: Mon, 23 Feb 2004 15:09:55 -0500
At 06:53 PM 21/02/2004, Olaf Gellert wrote:
Hi Andrew and all, Well, it seems to be like this: If you buy a firewall, you buy a definite plus in security. Even if you have to open it for some more ports than you would like, each blocked packet is a plus of security. If you install an IDS, you have nothing. You have a system that gathers huge amounts of information. This information has to be evaluated and so on, so the system does not add to your security in the first place, but it generates additional workload. It is even worse: The system does not make people feel better (like a firewall), but it may show you all the dangers coming from the net and the vulnerability of you own network. So a big part of this is simple psychology.
Well, shoot me if I'm wrong, but putting the NIDS sensor behind the firewall instead of in front of it (as you seem to imply) should BOTH reduce the numbers of "dangers" that you should normally care about (since the FW already blocks the one we don't have to care about), and fill in the gap left by the false sense of security firewalls give (a firewall makes people fell better, that has to be the worst reason I ever heard to purchase a firewall) by applying intrusion detection techniques to the traffic that the firewall has let pass thru. Because firewalls let traffic pass thru, or else you wouldn't need a firewall at all since you'd be better off without an Internet connection. They just block traffic according to some rules in order to give access to some network services, and it is on the traffic related to these services that attention should be put on.
So in this regards, I think it is pretty doubtful to claim that with IDS, you have nothing and you just have a bigger workload. I think you unvoluntarily demonstrated one of the biggest issues with IDS, a lack of understanding of how the technology is to be applied, and how it is all inter-related and maintained.
If I were to prove my point of view with a metaphor, I'd say that your claim is like saying :"I've just purchased a new car, but I don't have a driver's license and never read the car's manual, but it's no big deal, I can drive it all right. I've noticed I have a button to switch headlights on, but I don't need it to drive at night and I think it's just a waste of battery power, I can see all right at night from the lightposts and the lights from the other cars."
I'm not downplaying the role of firewalls here, but thinking they are sufficient by themselves still in 2004 is just asking for a reality check.
My 2 cents.Adam Richard
--------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 ---------------------------------------------------------------------------
Current thread:
- Re: Is IDS/IPS worthless?, (continued)
- Re: Is IDS/IPS worthless? Josh Tolley (Feb 23)
- Re: Is IDS/IPS worthless? Konrad Rieck (Feb 23)
- RE: Is IDS/IPS worthless? Brian Taylor (Feb 23)
- RE: Is IDS/IPS worthless? Fergus Brooks (Feb 23)
- RE: Is IDS/IPS worthless? Duston Sickler (Feb 24)
- RE: Is IDS/IPS worthless? Fergus Brooks (Feb 23)
- RE: Is IDS/IPS worthless? Omar Herrera (Feb 23)
- Re: Is IDS/IPS worthless? Michael Stone (Feb 23)
- Re: Is IDS/IPS worthless? Andy Cuff (Feb 23)
- Re: Is IDS/IPS worthless? Mike Hoskins (Feb 23)
- Re: Is IDS/IPS worthless? Olaf Gellert (Feb 23)
- Re: Is IDS/IPS worthless? SecurIT Informatique Inc. (Feb 23)
- Re: Is IDS/IPS worthless? Olaf Gellert (Feb 23)
- Re: Is IDS/IPS worthless? SecurIT Informatique Inc. (Feb 23)
- Re: Is IDS/IPS worthless? Xiaoyong Wu (Feb 24)
- Re: Is IDS/IPS worthless? Michael Stone (Feb 25)
- Re: Is IDS/IPS worthless? SecurIT Informatique Inc. (Feb 23)
- Re: Is IDS/IPS worthless? Mike Hoskins (Feb 23)
- RE: Is IDS/IPS worthless? Martin (Feb 23)