Snort mailing list archives
RE: re: 1. Network World IDS report (Jason Haar)
From: Detmar Liesen <counter.spy () gmx de>
Date: Thu, 27 Jun 2002 22:04:29 +0200 (MEST)
Some days ago I told people who wanted to do benchmarks with IDS to leave such testing to the "hard-core" people of NSS and Network World (RealWorld Labs), because those people have the time, skills and experience to do so properly (I thought). Well, now I think I have to change my opinion about the Network World folks a little bit. Setting up vanilla systems in a live environment really is a joke. If I did something like that, I think I'd get clobbed by a good few persons and loose my job (well I have to look my first real IDS job now anyway, but I think it would be no good reference for an application ;)). You cannot do something like this - it's too dangerous - for other sites. As far as I know you are responsible for securing your systems from being misused as a launch pad for attacks *by law*. But I also have to admit that the report has some important message in it: -IDS systems have to be (and can only be) set up and tuned by skilled people and it takes time to do so. -IDS deployments needs constant learning. -Also the alerts have to be analyzed by skilled and trained people. -IDS administration and monitoring is a full-time job, if you want to do it properly. This leads me to the question: What did the Network World tests actually attempt to achieve? I just guess, that they wanted to tell non-IDS people (e.g. IT executives) that you cannot just setup an IDS and think you're secure now. You need trained personnel that has got the time and skills to tune the system and analyze events constantly. You also have to know your network really good. (As a matter of fact, I learned the topology of our perimeter network mainly by analyzing events from Snort/ACID). They are also right that there are still many improvements necessary in IDSs. But all this isn't really new to anyone on this list, I think. Begin next week I will publish my IDS criteria catalog (I didn't manage to finish it this week, sorry). This should help people finding out what features and criteria for enterprise-wide or network-wide IDS deployment are important. Just my 2 cents. Cheers, Detmar -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- re: 1. Network World IDS report (Jason Haar) Joe Pampel (Jun 27)
- <Possible follow-ups>
- RE: re: 1. Network World IDS report (Jason Haar) Hicks, John (Jun 27)
- RE: re: 1. Network World IDS report (Jason Haar) Detmar Liesen (Jun 27)