| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1064342374.827.126.camel@elendil.intranet.cartel-securite.net> From: blancher at cartel-securite.fr (Cedric Blancher) Subject: The usefullness of IDSes (Was: Re: Is Marty Lying?) Le mar 23/09/2003 ? 10:01, Philippe Bogaerts a ?crit : > I totally agree. An IDS for auditing firewall or other policies can be > usefull, if properly configured. Agree. In conjunction with a conventional audit or open pentest, a well configured IDS framework can point where security policy is broken. > I simple hate the fact that most vendors > position their IDS product as an attack blocking device. The only thing they > can is actually RST tcp connections (sometimes). My opnion is that is quite > a simple and basic method for doing attack blocking. It is a simple and basic one, but sometimes ineffective. Juste think of Slamer that uses a single UDP packet to replicate. Even if your IDS can detect this, it is already to late. The thing I really hate is IDs vendors that come to you with a "my IDS can do all the blocking stuff for you". I went to an IDS demo with an old badly configured FW1 firewall, a IIS 4 webserver and a root'o'matic WuFTPd. First part, cracker can go through and root everything. Second part, I plug my IDS sensors, enable FW1 plugin, and see, all attackes are blocked ! You're now secure. I hate this. I really do (and people from this IDS vendors seems to hate me as well now ;)). -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Powered by blists - more mailing lists