Keith...
What you say is true for host-based IDS...
But I think network-based IDS is a different animal...
Your third point should really be entitled: PERFORMANCE...
It's one thing to have a host-based sniffer on a server...
It's another thing to sniff packets on a DS-3, 100 Mbs,
or even a gigabit ethernet... These require careful
performance tuning... You cannot do this on a PC; you need
dedicated hardware... And it impacts your 2nd point, tuning...
If you have dedicated co-processors, you cannot expect them
to be user-programmable...
The best you can do is pick a vendor who you trust....
Then you need high performance....
Then you need that vendor to update his signatures
several times a year...
Then you handle all the false alarms...
Brian Boyter
>
> I understand that IDS is a pretty new technology aiming to detect,
> monitor and responds to different type of attacks at a network level.
> The idea is excellence when combining firewall to form an integrated
> security solution.
> However, I wonder the effectiveness that the IDS is claimed to perform.
> I saw many cases that internal network, mostly web server, is still
> hacked even there is a IDS to look after. The problems usually are as
> follows:
> 1. Too much false alert generated by the IDS.
> 2. Without good tuning mechanism for the IDS, ...
> 3. IDS may not be able to capture all packets to analyze
> 4. Attack signature may not be up-to-date for the IDS.
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
