1. This thread is very hard to read
2. One function of a true IDS system is to validate the security
architecture that is in place
What I mean, is that if you have a sensor/detector (generic term not
to be associated with any given IDS product) placed on the DMZ after the
Internet Router (this is the router that is either provided by the ISP or
owned by the organization) essentially the main feed to the Internet. So a
sensor is placed there, collecting raw traffic from the net that is
destined to the internal network.
Another sensor is placed after the internal router , and another sensor is
placed after the FW, and a couple of agents sprinkled about the internal
network
So the first sensor will provide information regarding what traffic is
coming across the wire
The second sensor will validate events/intrusions that may have evaded your
well-defined ACL lists on the router
The third sensor will validate events/intrusions that may have evaded the
firewall.
So a report can be culled together illustrating the various places that an
organization is vulnerable via network based intrusions after each level of
security devices
/m
At 07:21 PM 8/4/00 -0600, dreamwvr wrote:
>hi mouss,
> > to change the thread direction, I'd say that I don't like IDS for the
> > following reasons:
> > - it seems to me more natural to use our energy to fix systems than to
> > watch for who is
> > trying to come inside.
>hmm.. sometimes they can remind us that we need to be vigilant IMHO..
> > - I do not think IDS has been valuable to make progress in security
> > software dev. hackers
>not sure if i understand what your saying here .. actually not sure what
>you mean exactly to comment sorry. But let me say this IMHO IDS is
>another toolset for SEC personell to allow them to do their job.
>better? perhaps.. perhaps not. it is sort of a friend if you like a
>'familiar' for lack of a better term. If your network is 1000s of systems
>it is rather pleasant that you have a friend to let you know what is
>occuring that you don't really feel like dealing with IMHO. is it a
>magic bullet? NO.. that is where the [B] [R] [A] [I] [N] comes in and
>experience as it is always the best teacher. If you have a fluid
>IDS system it will flow over the terrain ever so semi-intelligently
>which is about all one can really hope for..
> Then if you can
>append to what it scrutinizes well you have a pretty good system AFAIK.
> > have finally been more helpful (though this was not their intent).
> > - I am not aware of any "mathematically serious" IDS product (yes,
> > mathematically serious is hard
> > to define, but I guess it is easy to understand). those I heard of are a
> > kind of elaborate grep extensions.
>hmmm.. well no matter how high the math goes you still need someone to
>interpret what you think is interesting IYKWIM..
> > In my opinion, intrusion detection should be left to some specialized
> > companies. I mean that we should
>..And keep the masses from having a early|RT warning system?
> i..would have to disagree as if the Internet is going to evolve
>then consumers need the ability to obtain IDS systems that fit their
>needs large or small. Just like one has locks and safes .. there appears
>to be a 'real' demand for alarms. This is where IMHO the alarm co will
>impact IDS as they see some flaws in the existing mindset and are
>suggesting changes according to what they believe they need.
>They do have experience @ the physical layer on alarms after all.
>(A unwelcome visitor is always a unwelcome visitor..) Even though
>they don't know the etherworld they have some suggestions from
>experience to throw into the pot.
> > not buy IDS prducts, but merely call these guys to audit our net, to run
> > their tools from time to time, ...
>IMHO Security is a 24/7 way of life..
> > as intrusion detection is still based on skill, not on discipline (ie I
> > doubt that someone who is enough
> > disciplined to click buttons would find the same things that a skilled
> > hole-finder would).
>I would agree push button solutions are rather like watered down wine;-))
>IDS will doubtfully ever eclipse those who eat,drink, and sleep security.
>it needs to be their passion.. i can think of some that fit this catagory.
>(how many ppl are on this list;-)) there will always be those who are
>add water or wine:-)) YMMV experts because they own a copy of
>'pick a product'. But what makes the world go round is all kinds.
>..and 'nobody' hee..hee..hee is strong in everything. That is what is
>empowering about this list we all can exchange our opinions FWIW.
>everyone has @ least 1. if you sift through the stream everyone has
>something to say. with the exceptions of lurkers but they too make
>a statement by saying nothing actually;-))
> > I am convinced that I am biased, so I say it now before getting lamed to
> > death: this is just an opinion,
> > nothing more.
>Opinion is a good thing actually something i usually appreciate as it
>get awfully quite talking to oneself. Remember before 'black monday' ?
>now that was quite.. some places anyhow..
> > On the other side, since IDS help some nice guys get money from stupid
> > customers, there is a benefit to the human race.
> > As Dilbert goes, 90% of the customers are stupid and give you money, and
> > 10% are smart and give you ideas
> > (I forgot the exact wording, but it's something like that).
>hmm.. well i am not sure i would say stupid .. more like not inexperienced.
>We all started somewhere.. Myself i still remember when the first Dist of
>Slackware came out and well did i have a lot to learn;-)) I still do..
> Best Regards,
> [EMAIL PROTECTED]
> > regards,
> > mouss
>--
>Reuters, London, February 29, 1998:
>Scientists have announced discovering a meteorite which will strike the
>earth in March, 2028. Millions of UNIX coders expressed relief for being
>spared the UNIX epoch "crisis" of 2038.
>_______________________________________________________________________
>
>************** DREAMWVR.COM - TOTAL INTERNET SERVICES ****************
> TOTAL DESIGN - DEVELOPMENT - INTEGRATION - SECURITY - Click Here..
> <http://www.dreamwvr.com/services/MAX_SEC.html>;
> DREAMWVR.COM - The Console of Many... 90 Topics Covered
><http://www.dreamwvr.com/dynamicduo.html>;
><mailto:[EMAIL PROTECTED]>;
>->> LINUX Solution Provider and North American Distributor<<-
> "===0 PGP Key Available
>*************** "As Unique as the Company You Keep."*****************
> "If anyone speaks from DREAMWVR.COM its certainly not me:-)"
>________________________________________________________________________
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
