Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Suggestion for IDS

from [Michael Holstein] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Suggestion for IDS
Date: Thu, 29 Sep 2005 08:54:49 -0400 
I value your opinion on this subject as my knowledge about IDS is slim. Your
suggestion below as I understand you basically says, from a company stand
point, IDS is not a solution? We were thinking in this line of using IDS
along with IPS system too. We basically have nothing to inspect the high
bandwidth usage or catching infection from mobile or desktops users and
thought IDS and IPS would help. Your thought?

No .. IDS is not a "solution". Neither is an IPS (note .. IPS is an improvement on IDS .. the key is the 'D' being 'detection' and the 'P' supposedly meaning 'prevention'). The reason for this is you can't expect a network device to "protect" you from an attack due to administrative laziness or inepetitude.

Unless you put an IPS between everyone's NIC and their network connection, you'll never have *enough* of them to completely cover your network. Things will sneak in .. but an IPS may help them from spreading like wildfire.

Like any security *gizmo*, an IPS/IDS/Firewall/etc is just another piece of the puzzle .. but the *most* important piece is admins that know, understand, and religiously implement security on every system they bring up.

Now .. as for catching infections on mobile/desktop users .. you'll do well with most IDS/IPS products .. but remember .. in both cases, you're only idenfitying the problem. With the IPS, you're preventing it from going PAST the IPS, but not preventing it from infecting others on the same subnet, etc.

If bandwidth regulation is your objective .. you'd be much better off with something like Packeteer -- which many of us use to keep a lid on Kazaa/Bittorrent -- and to great success.

There are numerous ways to defeat an IDS/IPS .. to work, it's got to be able to "see" the traffic .. and there are any number of ways to defeat that (encryption, packet fudgery via fragrouter, et.al, etc). I don't disagree that getting one is a good idea, just don't "sell" the idea to your management/finincial folks with the idea that "once we install this, we'll never have any more viruses" -- because that's just not true.

Regards,

Michael Holstein CISSP GCIA
Cleveland State University
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Suggestion for IDS, Michael Holstein
Next by Date:  [Full-disclosure] Serendipity: Account Hijacking / CSRF Vulnerability, Nenad Jovanovic
Previous by Thread:  Re: [Full-disclosure] Suggestion for IDS, Michael Holstein
Next by Thread:  RE: [Full-disclosure] Suggestion for IDS, Mark Senior
Indexes:  [Date] [Thread] [Top] [All Lists]