On Mon, 2003-09-22 at 14:23, Peter Busser wrote: > The problem with IDS systems is the same problem that currently available > virus scanners have: They work reactive and not proactive. > > Making machines harder to break into and improve ways to enforce a security > policy (e.g. by using Mandatory Access Control (MAC)) would be one way to > proactively deal with security. Keep in mind that IDS's are not _active_ security controls. Nothing beats firewalls, host hardening, and all the other layers of proactive security. Instead, IDS's are passive monitors, alerting you when you active security controls have failed. They are verifying the functionality of other controls. In that sense, you can not compare IDS's and virus scanners. They are two different beasts. While virus scanners are more proactive, host based IDS's can alert you when the virus scanners have failed. (Interestingly, virus scanners used to be passive and became active when realtime detection became the norm. In a sense, they are now Intrusion Prevention Systems -- passive controls turned active. As you recall, Intrusion Prevention Systems include everything and their mother these days...). Host based IDS have gone the same way. From purely alerting to now actively intercepting and preventing systems calls, web accesses, etc. I guess the same can be said for network based IDS turned IPS. However, all these active components should still only catch where other safe guard failed. But nowadays we deploy these technologies as _proactive_ components, which they are not. In other words, it is not enough to deploy a host based IDS and think that the host has now been hardened. host hardening (proactive) should still be done and HIPS be deployed (active) on top of that. We still need IDS (passive) though to find out when 'proactive' and 'active' are failing. (This is what Gartner still doesn't understand). Now, if we were to use better designed OS'es and applications to begin with, we wouldn't have this mess... Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part