In some email I received from Gary Crumrine, sie wrote: [...] > Unfortunately, IDS systems seem to be the hot ticket these days. Forensic > tools are not, and will not be in my opinion until the legal system has had > more time to establish legal precidence. Business owners looking for tools > these days are going to ask one very important question. What value is > added with an IDS versus NFR. I can clearly demonstrate what an IDS gives > me, teh NFR concept is not so clear. I think viewing the NFR as an IDS product (only) is taking a too narrow view of what NFR is. Yes, you can make an IDS with NFR, but NFR isn't limited to being an IDS. NFR is aimed at providing you information about what's going on around your network. What you do with that information and how you collect/process it with NFR is up to you. An IDS, on the other hand, fits the same model as the firewall: it's built to detect *known* metrics and "do things" based on some sort of rule base. If something happens which it hasn't been programmed to recognise, there's a good chance it will just be ignored as being part of the "regular flow of irregular traffic". I think a lot of what the product is aimed at being can be gleaned from the name "NFR" - "Network Flight Recorder". Whether it's `there' yet, I don't know - ask Marcus :) But, wouldn't it be an advantage to be able to "roll back" some log and be able to trace what happened on your network at time X when host Y was involved with hosts A and B in doing C ? Whether it is a breakin attempt or someone attempting to surf XXX rated sites, should be of no consequence - hopefully enough information is being recorded to show who/what/where/why 24 hours or more later. Darren
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:39 PDT