> One of my biggest criticisms of IDS's, security scanners, and security > programs in general is that they look for security problems, rather than > gathering information and process it with a security mindset. The I think this is a poor generalization. Security scanners don't necessarily "look for holes instead of valuable configuration information"; they tend to look for both. The problem here is that you can't always (or even usually) analyze general configuration information and accurately obtain a picture of which vulnerabilities are present. You can collect "general" information such as the network topology, operating systems of all the machines, and the services they run, and "process it from a security mindset" to say "suchandsuch a machine is probably vulnerable to this problem". The information you obtain from this type of analysis is probably going to be inaccurate. The need for accurate results is what drives tools like misuse detectors and security scanners to look for known patterns of abuse or vulnerability (respectively). A valid criticism (and this may be the criticism you are making) against these types of systems is that they don't do enough analysis of the information they obtain and don't report the general information (rather than the specific low-level vulnerabilities) well enough. This is different from the question of whether the information is collected at all, though. ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:02 PDT