Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Suggestion for IDS

From: Michael Holstein <michael.holstein () csuohio edu>
Date: Thu, 29 Sep 2005 08:54:49 -0400
I value your opinion on this subject as my knowledge about IDS is slim. Your
suggestion below as I understand you basically says, from a company stand
point, IDS is not a solution? We were thinking in this line of using IDS
along with IPS system too. We basically have nothing to inspect the high
bandwidth usage or catching infection from mobile or desktops users and
thought IDS and IPS would help. Your thought?
No .. IDS is not a "solution". Neither is an IPS (note .. IPS is an improvement on IDS .. the key is the 'D' being 'detection' and the 'P' supposedly meaning 'prevention'). The reason for this is you can't expect a network device to "protect" you from an attack due to administrative laziness or inepetitude.
Unless you put an IPS between everyone's NIC and their network connection, you'll never have *enough* of them to completely cover your network. Things will sneak in .. but an IPS may help them from spreading like wildfire.
Like any security *gizmo*, an IPS/IDS/Firewall/etc is just another piece of the puzzle .. but the *most* important piece is admins that know, understand, and religiously implement security on every system they bring up.
Now .. as for catching infections on mobile/desktop users .. you'll do well with most IDS/IPS products .. but remember .. in both cases, you're only idenfitying the problem. With the IPS, you're preventing it from going PAST the IPS, but not preventing it from infecting others on the same subnet, etc.
If bandwidth regulation is your objective .. you'd be much better off with something like Packeteer -- which many of us use to keep a lid on Kazaa/Bittorrent -- and to great success.
There are numerous ways to defeat an IDS/IPS .. to work, it's got to be able to "see" the traffic .. and there are any number of ways to defeat that (encryption, packet fudgery via fragrouter, et.al, etc). I don't disagree that getting one is a good idea, just don't "sell" the idea to your management/finincial folks with the idea that "once we install this, we'll never have any more viruses" -- because that's just not true. 

Regards,

Michael Holstein CISSP GCIA
Cleveland State University
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: