> What are the kind of Intrusions an Intrusion Detection software can detect? What all it cannot? Also, specify the reasons. Right now? You wrote firewall-wizards in order to get a realistic appraisal of the capabilities of intrusion detection systems. That's what the value of this list is. If you want to hear the marketing appraisal of ID systems, I suggest you consult vendor websites. The market leaders include: ISS, for RealSecure, at http://www.iss.net Axent, at http://www.axent.com Cisco, for NetRanger, at http://www.cisco.com AbirNet, for SessionWall-3, at http://www.abirnet.com SDTI, for Kane Security Analyst, at http://www.securitydynamics.com As far as the real world goes, my 2 second summary of the currently available products is "they will catch a significant percentage of the attacks that don't try to evade detection". There are as many different ways to build an IDS as there are words in this message, and none of them have been adequately tested yet. We don't even know HOW to test them yet. What I think we do know is this: the most popular products are "network-based misuse detectors", meaning that they attempt to detect known patterns of misuse by examining network traffic. All of the current network misuse detectors rely on passive network traffic analysis ("sniffing") to collect information to analyze. These systems are currently known to have serious flaws that have not been completely addressed yet. The specifics are fairly technical, but they amount to the fact that a skillful attacker can create streams of network traffic that can't be accurately analyzed by network ID systems. The details of some of these problems are available in two papers, one from Vern Paxson at the Network Research Group of LBL, and one from myself and Timothy Newsham at Secure Networks, Inc. Mr. Paxson's paper is: Paxson, V., Bro: A System for Detecting Network Intruders in Real-Time. Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998. ftp://ftp.ee.lbl.gov/papers/bro-usenix98-revised.ps.Z Our paper is: Ptacek, T. and Newsham, T., Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection --- an SNI Technical Report, January, 1998. http://www.secnet.com/papers My advice is that it's a good idea to deploy these systems if you're aware of their limitations (which are currently fairly significant). It is likely that an IDS will give you a reasonable amount of information about casual attacks on your system, which is valuable. However, it would be a very poor idea to depend on an intrusion detection system, especially if you are relying on it to configure and maintain access control devices (like firewalls). ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:19 PDT