[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: The usefullness of IDSes (Was: Re: [Full-Disclosure] Is Marty Lying?)
- To: Philippe Bogaerts <xxradar@xxxxxxxxxxxxx>
- Subject: RE: The usefullness of IDSes (Was: Re: [Full-Disclosure] Is Marty Lying?)
- From: Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 23 Sep 2003 20:39:35 +0200
Le mar 23/09/2003 à 10:01, Philippe Bogaerts a écrit :
> I totally agree. An IDS for auditing firewall or other policies can be
> usefull, if properly configured.
Agree.
In conjunction with a conventional audit or open pentest, a well
configured IDS framework can point where security policy is broken.
> I simple hate the fact that most vendors
> position their IDS product as an attack blocking device. The only thing they
> can is actually RST tcp connections (sometimes). My opnion is that is quite
> a simple and basic method for doing attack blocking.
It is a simple and basic one, but sometimes ineffective. Juste think of
Slamer that uses a single UDP packet to replicate. Even if your IDS can
detect this, it is already to late.
The thing I really hate is IDs vendors that come to you with a "my IDS
can do all the blocking stuff for you". I went to an IDS demo with an
old badly configured FW1 firewall, a IIS 4 webserver and a root'o'matic
WuFTPd. First part, cracker can go through and root everything. Second
part, I plug my IDS sensors, enable FW1 plugin, and see, all attackes
are blocked ! You're now secure. I hate this. I really do (and people
from this IDS vendors seems to hate me as well now ;)).
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html