""Albert Lu"" wrote in message news:[EMAIL PROTECTED] > how quickly can you respond to your alerts? Since for some attacks, a half > hour response time could cause your site to be down (eg. slammer virus). If > that was the case, even if you had all the vendor's IDS, it will be useless.
Just to soapbox a bit on the current flare so many networking and security folks have for IDS's.... Using anything that only did detection would have let SQL slammer in. It is a single packet attack, by the time you saw one(and had vulnerable systems) it would have been too late for that host. Lets think about if you had super-double-secret AI to build a rule based the change in traffic behaviour of the (now infected) server and push this rule toward the "outside" or policy enforcement locations. Your would still have an infected server and any other vulnerable SQL server inside the nearest policy enforcement location would quickly also be infected. So now weeks later if you have vulnerable systems an IDS, with perfectly valid signatures, STILL does you no good. You would have already needed to deploy proper filtering, which was the case on day0, day10, and on day(-365). IDS's are nice tools, but like firewalls they don't do much for any network JUST becuase they were purchased and installed. Darrell Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63540&t=63461 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
