[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1064263838.459.46.camel@localhost>
From: frank at knobbe.us (Frank Knobbe)
Subject: Is Marty Lying?
On Mon, 2003-09-22 at 14:23, Peter Busser wrote:
> The problem with IDS systems is the same problem that currently available
> virus scanners have: They work reactive and not proactive.
>
> Making machines harder to break into and improve ways to enforce a security
> policy (e.g. by using Mandatory Access Control (MAC)) would be one way to
> proactively deal with security.
Keep in mind that IDS's are not _active_ security controls. Nothing
beats firewalls, host hardening, and all the other layers of proactive
security. Instead, IDS's are passive monitors, alerting you when you
active security controls have failed. They are verifying the
functionality of other controls.
In that sense, you can not compare IDS's and virus scanners. They are
two different beasts. While virus scanners are more proactive, host
based IDS's can alert you when the virus scanners have failed.
(Interestingly, virus scanners used to be passive and became active when
realtime detection became the norm. In a sense, they are now Intrusion
Prevention Systems -- passive controls turned active. As you recall,
Intrusion Prevention Systems include everything and their mother these
days...). Host based IDS have gone the same way. From purely alerting to
now actively intercepting and preventing systems calls, web accesses,
etc.
I guess the same can be said for network based IDS turned IPS. However,
all these active components should still only catch where other safe
guard failed. But nowadays we deploy these technologies as _proactive_
components, which they are not. In other words, it is not enough to
deploy a host based IDS and think that the host has now been hardened.
host hardening (proactive) should still be done and HIPS be deployed
(active) on top of that. We still need IDS (passive) though to find out
when 'proactive' and 'active' are failing. (This is what Gartner still
doesn't understand).
Now, if we were to use better designed OS'es and applications to begin
with, we wouldn't have this mess...
Cheers,
Frank
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030922/fc4ffb3e/attachment.bin
Powered by blists - more mailing lists