Re: CRIME IDS is dead says Gartner

From: Crispin Cowan (crispin@private)
Date: Tue Jun 24 2003 - 11:04:56 PDT

  • Next message: Dorning, Kevin E - DI-3: "RE: CRIME Deletion of saved emails that are one month old"

    Seth Arnold wrote:
    
    >On Mon, Jun 23, 2003 at 06:34:36PM -0700, Andrew Plato wrote:
    >  
    >
    >>http://www.informationweek.com/shared/printableArticle.jhtml?articleID=1
    >>0300918
    >>    
    >>
    >>>Stiennon contends that organizations are going to so successfully harden
    >>>their internal systems that the "burglar-alarm" service
    >>>intrusion-detection systems provide will no longer be necessary.
    >>>      
    >>>
    >
    >This is obviously someone who has never performed a software audit in his
    >life, let alone read bugtraq for a solid week. He's an idiot. (Unless
    >the press has completely misunderstood what he's said, which has been
    >known to happen in the dumbification process involved in publishing.)
    >
    I agree with Seth, in that auditing systems all the way to security is 
    infeasible.
    
    On the other hand, auditing systems to the point that everything a 
    signature IDS will see (known exploits) are not threatening is very 
    feasible: just keep up to date with your patches. It is administratively 
    easier to update IDS signatures than to patch production systems, so you 
    have to put more effort into patching up to that point. On the other 
    hand, patching actually prevents intrusion, while the IDS just tells you 
    that you've just been hacked, and you're about to have a bad weekend.
    
    Obvious corollary: use NIPS (Network Intrusion Prevention Systems), 
    which are like IDS, but when they see a signature, they stop the attack.
    
    Crispin's cynical reply: these are known as "firewalls" :) except that 
    they are inspecting at the application layer. Just like application 
    proxy firewalls used to :)
    
    Other corollary: use HIPS (Host Intrusion Prevention Systems). On the 
    host, it is much easier to detect & prevent unknown as well as known 
    attacks. These were classically known as "secure operating systems", but 
    they got a bad rap for being hard to use, so marketeers had to change 
    the word for them, too :)
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
    Chief Scientist, Immunix       http://immunix.com
                http://www.immunix.com/shop/
    



    This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 11:18:20 PDT