This is fine and we will all have our own definitions, yet, as time has
progressed and SW has too, I still tend to differentitate;
in my mind IDS systems are more proactive, able to warn at the point of
attack, while tools like tripwire can only warn you 'after the fact'. I
think there is a vast difference in those two parts od what some like to
lump into one definition.
Thanks,
Ron DuFresne
On Wed, 7 Mar 2001, mht wrote:
> Tripwire - can be considered a host-based Intrusion Detection but more an
> file system integrity checker - since in order to fine tune TripWire to
> it's best of it's ability, is that one must be establish a "Golden" OS copy
> of the particular operating system in place. In most cases, this is not
> available, since the operating system was up and running before someone
> purchased or downloaded a copy of TripWire.
>
> After establishing a baseline tripwire security policy, one has to be saavy
> enough to tweak all the alerts that TripWire can generate, which is very
> very time consuming.
>
> SWATCH is primitive form of a door knob rattling device, very similiar to
> those $49.95 door alarms one uses on hotel/motel doors to make one sleep
> better at night. It isn't that sophisticated but makes a lot of noise when
> the door is strongly fiddled with.
> BTW, The door knob alarm does not chirp when the hotel/motel door is
> directly hit on the center of the door knob with a medium-sized sledge
> hammeror very strong straight leg kick.. Check the back of the door knob
> alarm for what the limitations are.
>
> Defining Intrusion Detection has an been ongoing marketing banter Pattern
> Matching versus Packet dis-assembly/re-assembly, our IDS is faster than
> your IDS. We detect more, they are going from consumer to corporate, etc,
> yada, yada. Marketing people also sacrifice their young or coyote ugly arm
> if they can prove that they successfully doubled their products market
> share against their competition each time a new marketing campaign is
> released.
>
> One of the major reasons for picking a reasnable IDS system is making a
> firewall administrator/network engineer more aware that the firewall
> policy/router configuration is not doing it's job correctly or is incapable
> of alerting a network administrator that a duplicate IP address has been
> observed or a block of IP addresses that shouldn't be active is, etc, etc.
>
> The technology has always been there, but the number of people actually
> having a "CLUE" has dwindled over the last year or two
>
> Trip, Crash.. fumble..
>
> (sorry fell off my IDS cynic soapbox.. ;;)
>
> At 01:14 PM 3/7/01 -0500, Ken Seefried wrote:
>
> I will merely respond that if the definition of an Intrusion Detection
> System is "a system that is designed to detect an intrusion", then I
> personally am comfortable calling tripwire and swatch simple forms of IDS.
> Gratuitously rewriting the definition of what an IDS is, merely because the
> technology now offers extended possibilities, is a job best left to a vendor
> marketing department.
>
> As always, individual opinions may vary.
>
> Ken
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
