lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu Sep 29 13:56:28 2005
From: michael.holstein at csuohio.edu (Michael Holstein)
Subject: Suggestion for IDS

> I value your opinion on this subject as my knowledge about IDS is slim. Your
> suggestion below as I understand you basically says, from a company stand
> point, IDS is not a solution? We were thinking in this line of using IDS
> along with IPS system too. We basically have nothing to inspect the high
> bandwidth usage or catching infection from mobile or desktops users and
> thought IDS and IPS would help. Your thought?

No .. IDS is not a "solution". Neither is an IPS (note .. IPS is an 
improvement on IDS .. the key is the 'D' being 'detection' and the 'P' 
supposedly meaning 'prevention'). The reason for this is you can't 
expect a network device to "protect" you from an attack due to 
administrative laziness or inepetitude.

Unless you put an IPS between everyone's NIC and their network 
connection, you'll never have *enough* of them to completely cover your 
network. Things will sneak in .. but an IPS may help them from spreading 
like wildfire.

Like any security *gizmo*, an IPS/IDS/Firewall/etc is just another piece 
of the puzzle .. but the *most* important piece is admins that know, 
understand, and religiously implement security on every system they 
bring up.

Now .. as for catching infections on mobile/desktop users .. you'll do 
well with most IDS/IPS products .. but remember .. in both cases, you're 
only idenfitying the problem. With the IPS, you're preventing it from 
going PAST the IPS, but not preventing it from infecting others on the 
same subnet, etc.

If bandwidth regulation is your objective .. you'd be much better off 
with something like Packeteer -- which many of us use to keep a lid on 
Kazaa/Bittorrent -- and to great success.

There are numerous ways to defeat an IDS/IPS .. to work, it's got to be 
able to "see" the traffic .. and there are any number of ways to defeat 
that (encryption, packet fudgery via fragrouter, et.al, etc). I don't 
disagree that getting one is a good idea, just don't "sell" the idea to 
your management/finincial folks with the idea that "once we install 
this, we'll never have any more viruses" -- because that's just not true.

Regards,

Michael Holstein CISSP GCIA
Cleveland State University

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ