Paul D. Robertson wrote: | On Tue, 14 Apr 1998, Marcus J. Ranum wrote: | | > There are really only 2 good reasons I can think of for ID systems: | > 1) To develop a threat level model as to how often you are attacked | > 2) To detect clueless people inside your organization who are attacking | > outside sites | | 3) To detect clueless people inside your organization, or with access to | your facilities who are attacking your own systmems. | | 4) To trend traffic to detect possible tunnels through allowed protocols | like HTTP or SSL. 5) To detect the fact that you've been hooked up to YA extranet without any protection. Also, allow me to clarify my point from yesterday (the one Marcus disagreed with 180 degrees). In talking about attack detection, I meant useful in the sense "the value you can extract from what you buy," not useful in the sense that you get more time to not be at work. The value you get from a Bro or one of its commercial relatives is that you know you're under attack. (Inset Aleph's comments here.) It detects attacks, not intrusions. Intrusions are a much broader category and decent ID software was reasonably well described by Marcus last night. Adam -- Just be thankful that Microsoft does not manufacture pharmaceuticals.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:36 PDT