You're right there. But you need either 'real' meaningful reports and
management that knows enough to be able to interpret them, or meaningless
reports and management that likes them as long as there's lots of green.
But to prove the system's working as advertised you'd have to watch your
internet connection outside the firewall, and log all attacks, then
correlate these logs against firewall/server/internal IDS logs to ensure
that the attacks aren't being effective. Is there any IDS that provides
this? For this function (and most network monitoring in general) I think
you're probably better off with systems that all log back to a common point
(using syslog or snmp traps or whatever), and then have the reporting
functionality on the device or software that's collecting those logs. This
way it can take into account information from all sources. You still need
application-specific consoles etc for looking at things 'live'.
I don't know of a system that does the correlation well. HP Openview says it
can, but I've never played with this side of it.
> -----Original Message-----
> From: Crumrine, Gary L [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, June 20, 2000 8:50 PM
> To: Luff, Darryl
> Subject: RE: IDS systems & technology
>
> I think you miss one point concerning the graphs, reports etc. Everyone
> has
> to report to someone.... The senior management needs to see hard facts
> that
> indicate their money is well spent. The graphs and reports do that. If
> for nothing else, you can generate a bunch of mindless dribble that scares
> the hell out of them and keeps your paychecks coming in...
>
> > -----Original Message-----
> > From: Luff, Darryl [SMTP:[EMAIL PROTECTED]]
> > Sent: Monday, June 19, 2000 7:56 PM
> > To: 'Stephen P. Berry'
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: IDS systems & technology
> >
> > As with fishing lures, they're designed to attract the attention of the
> > fisherman with the money in his pocket, not the fish. You can catch fish
> > with any bit of silvery metal with a hook on it, but no self-respecting
> > fisherman would buy one of these ("I'm not paying for that, I could make
> > it
> > myself"). And you can make it yourself, given a bit of time and some
> > freely
> > available materials.
> >
...
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
