IDS mailing list archives
RE: Useful NADS
From: "Andrew Plato" <andrew.plato () anitian com>
Date: Thu, 1 Sep 2005 10:09:24 -0700
IPSs simply can't be deployed everywhere. How many organizations have you seen in which an IPS is placed at every location in which a Cisco router exists? NADS deployed with NetFlow gives the IT admin the ability to virtually inspect traffic at MANY locations throughout the network at once without the need for expensive inline hardware.
NADS is completely complementary to existing IPS technologies. They operate in very different ways and solve a different kind of
problem. Well, there are some IPSs that I would feel confident deploying everywhere, but that gets into a sales pitch and I won't torture the group with that. However, I agree that there are a lot of products being marketed as an IPS that are not reliable enough to deploy at every routing point. The real reason IPS (or your product for that matter) cannot be deployed everywhere is because most organizations do not have an unlimited supply of cash to spend on boxes filled with wires. If you know of any that do have an unlimited supply of cash - by all means, send them my way. I have plenty of boxes filled with wires I can sell them. Smart organizations, that practice good risk management, are looking to reduce the maximum number of risks for the least expenditure of cash. As such, YABOW (yet another box of wires) sitting on the network offering the POSSIBILITY of risk reduction is not as valuable as YABOW that offers ACTUAL risk reduction. Furthermore, network insight is only useful if you can DO something with all that insight. I give a presentation called the Myths of Information Security. Myth #6 is "Awareness is Not Security." Being aware (or insightful) about a problem doesn't mean the problem goes away. You have to ACT on that. Without the ability to act, knowing there is a problem just makes things miserable. Thus, when deploying YABOW, organizations must be prepared to handle the data that comes from such a system. Otherwise, no point in even having it. This is why I say NADS is a marginally interesting product. Mixed with an IPS that can detect and block known attacks, then I can see the value. But a stand-alone NADS probably isn't the best investment for most organizations. It would be better to focus on a solid IPS product or better VLAN ACLs. Now, that much said, I do not have a lot of experience with Lancope's technologies. So, my opinions are not an attempt to discredit your specific technology. I am not qualified to do that. Merely I am sharing some high-level thoughts on the concept of NADS. And stop giggling at my NADS! _____________________________________ Andrew Plato, CISSP President/Principal Consultant ANITIAN ENTERPRISE SECURITY 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com _____________________________________ GPG public key available at: http://www.anitian.com/corp/keys.htm ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Useful NADS Andrew Plato (Sep 01)
- Re: Useful NADS Adam Powers (Sep 01)
- Re: Useful NADS Adam Powers (Sep 01)
- <Possible follow-ups>
- RE: Useful NADS Andrew Plato (Sep 01)
- Re: Useful NADS Adam Powers (Sep 01)