> > One of my biggest criticisms of IDS's, security scanners, and security > > programs in general is that they look for security problems, rather than > > gathering information and process it with a security mindset. The > I think this is a poor generalization. Well, I don't ;-) > Security scanners don't necessarily > "look for holes instead of valuable configuration information"; they tend > to look for both. I'm never mentioned configuration information, so I don't know who you're quoting here. I'm talking about *any* information. And I said in my experience; I'm not trying to map this assumption onto all things. > The problem here is that you can't always (or even > usually) analyze general configuration information and accurately obtain a > picture of which vulnerabilities are present. Exactly my point. The data should be kept, however, so that if you ever *do* get the analysis down, that you don't have to go back (if it's even possible) and regather the stuff. > You can collect "general" information such as the network topology, > operating systems of all the machines, and the services they run, and > "process it from a security mindset" to say "suchandsuch a machine is > probably vulnerable to this problem". The information you obtain from this > type of analysis is probably going to be inaccurate. Of course; we have a long way to go before we get anything that remotely gives us what we'll want, either now or later. > A valid criticism (and this may be the criticism you are making) against > these types of systems is that they don't do enough analysis of the > information they obtain and don't report the general information (rather > than the specific low-level vulnerabilities) well enough. This is > different from the question of whether the information is collected at > all, though. That wasn't my criticism, or point, at all. dan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:01 PDT