An IDS is an alarm system. Like all alarm systems, it should be part of a
security response plan, not just something isolated as a separate bell hanging
on your computer installation.
The main challenge in IDS, then, is integrating it with the rest of your
security and IT systems so that is reflects the actual needs of your whole
policy and is not just a source of false alarms that lose people's sleep but do
not actually add to security.
This is why many modern IDS products are integrated with firewalls, network
management systems, etc. They need to have knowledge of what is legitimate
traffic on your system and what is traffic that a threat. This tuning is best
done by properly trained people, so their availability is one of the problems.
The tuning can also be done by "smart" IDS programs that can analyze server and
network configurations and build up a map of legitimate usage. Such systems can
learn that you don't run an Unix software in your network, so that attacks on
Unix systems are to be noted, but not alarmed. They also can note that you run
other software, to be able to tune their alarms to the particular versions and
patch levels of your software. This helps in many cases to improve your IDS
sensitivity so that there are fewer false alarms.
But their still needs to be people who can respond to the legitimate
alarms in the appropriate manner. Even the best IDS can only respond in ways in
which it is programmed. Handling the situation to prevent problems still
requires management and policy. An IDS that alarms when it finds a Trojan on a
workstation trying to send corporate information to somewhere in the Ukraine
can't stop the user from clicking on the web site that installed it without
corporate policy and proper system management preventing this in the first
place.
-----Original Message-----
From: Gudumba Raj MSc [mailto:nag_theindian@yahoo.com]
Sent: Friday, August 06, 2004 11:07 AM
To: focus-ids@securityfocus.com
Subject: need help
Hello,
I am on the way to analyze the present IDS products
like Cisco, NFR, Juniper, Symantec, Triwire IDS
products. But testing isnt my job. But I would like to
know what kinds of problems the present IDS products
facing. I have to address some of the challenges that
the IDS world is facing. Could you please help me.
Thanks in advance.
=====
##############
Gudumba Raj(Naga Raj Peddisetty)
BjornkarrsGatan 11 c 33,
Linkoping,
SE-58436.
Fixed: +46-13-4731134,
GSM: +46-731-521053.
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
