Finally, someone was able to formulate an educated rational response that was not based on opinions, marketing hype, product positioning etc. I have to admit, that I have probably been the most vocal of the pro IDS crowd, and I would like to take this time to apologize to Marcus for being a little too vocal in my opinions. IDS systems, that exist today, for the most part do exactly what William is talking about. Although some do better jobs than others, I have not seen a single product that combines all the good attributes together into one comprehensive tool. I guess we can hope, and look for someone to take the lead on this. One point that was made prior, is that IDS technology as we know it today, is not the end all answer to everyone's prayers. Just like one firewall is not the perfect solution in all cases. Otherwise, all we would have is one black box, plug and play device. Maybe someday, but not now. I have not heard anyone say that they are 100 percent safe, although many people that are critical of their usefulness would like you to think so. Of course, firewall vendors do not make that claim either, for obvious liability issues. The thing I find useful about them is that they allow me to turn my attention elsewhere, until something like an alarm gets my attention. Every one of these things I have seen, has been able to adjust thresholds, so I can cut down on the false alarms. Just like firewalls, it takes some time working with the product to be able to fully understand the technology and quirks. For this reason I do not place a lot a faith in the so called testing and reports that have been done recently. Not to criticize the report, the technical expertise of the testers, or the methodology used, but mostly because I do not think we all understand the usefulness fully, and I think the real measure of usefulness is yet to be determined. I use tools to accomplish many things. I see an IDS much like COPS, TRIPWIRE, ISS, REAL SECURE and others. They are all tools to help me do my job. An IDS is the same thing. A tool to help me do my job. I have read the humorous ditty 100 ways to beat your IDS or something like that. Sure, if an attacker knows you are running a particular IDS, it may give him a bit of an edge, but I think just like knowing which OS your are using, or knowing what version of sendmail, or other such juicy targets, it helps them know where to start. But as I understand IDS, it usually is in lurker mode, and may not be evident. Therefore, I do not think the use of an IDS will significantly add to your zone of vulnerability. It makes for good reading, but in practice may not be as useful as I would be led to believe. I find worth in what we have today, and look forward to better tools of tomorrow. -----Original Message----- <snip>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:28 PDT