Mark is right on the money. Security isn't just having a firewall and IDS isn't just have an ISS/NFR/Ice box attached to your network. IDS is a combination of things that can include network attached devices, host/application based products as well as deception components, honey pots and things that act like burglar alarms. I'd even consider products that scan e-mails, applets, downloads, etc. as part of intrustion detection.
The real issue is figuring out how to coordinate the information that these systems generated so you can take meaningful action.
-- Bill Stackpole, CISSP
| mht <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 03/07/01 10:43 AM
|
To: Ken Seefried <[EMAIL PROTECTED]>, "'Ron DuFresne'" <[EMAIL PROTECTED]> cc: [EMAIL PROTECTED] Subject: RE: IDS |
Tripwire - can be considered a host-based Intrusion Detection but more an
file system integrity checker - since in order to fine tune TripWire to
it's best of it's ability, is that one must be establish a "Golden" OS copy
of the particular operating system in place. In most cases, this is not
available, since the operating system was up and running before someone
purchased or downloaded a copy of TripWire.
After establishing a baseline tripwire security policy, one has to be saavy
enough to tweak all the alerts that TripWire can generate, which is very
very time consuming.
SWATCH is primitive form of a door knob rattling device, very similiar to
those $49.95 door alarms one uses on hotel/motel doors to make one sleep
better at night. It isn't that sophisticated but makes a lot of noise when
the door is strongly fiddled with.
BTW, The door knob alarm does not chirp when the hotel/motel door is
directly hit on the center of the door knob with a medium-sized sledge
hammeror very strong straight leg kick.. Check the back of the door knob
alarm for what the limitations are.
Defining Intrusion Detection has an been ongoing marketing banter Pattern
Matching versus Packet dis-assembly/re-assembly, our IDS is faster than
your IDS. We detect more, they are going from consumer to corporate, etc,
yada, yada. Marketing people also sacrifice their young or coyote ugly arm
if they can prove that they successfully doubled their products market
share against their competition each time a new marketing campaign is
released.
One of the major reasons for picking a reasnable IDS system is making a
firewall administrator/network engineer more aware that the firewall
policy/router configuration is not doing it's job correctly or is incapable
of alerting a network administrator that a duplicate IP address has been
observed or a block of IP addresses that shouldn't be active is, etc, etc.
The technology has always been there, but the number of people actually
having a "CLUE" has dwindled over the last year or two
Trip, Crash.. fumble..
(sorry fell off my IDS cynic soapbox.. ;;)
At 01:14 PM 3/7/01 -0500, Ken Seefried wrote:
I will merely respond that if the definition of an Intrusion Detection
System is "a system that is designed to detect an intrusion", then I
personally am comfortable calling tripwire and swatch simple forms of IDS.
Gratuitously rewriting the definition of what an IDS is, merely because the
technology now offers extended possibilities, is a job best left to a vendor
marketing department.
As always, individual opinions may vary.
Ken
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
