Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-disclosure] Suggestion for IDS
From: Michael Holstein (michael.holsteincsuohio.edu)
Date: Thu Sep 29 2005 - 07:54:49 CDT
> I value your opinion on this subject as my knowledge about IDS is slim. Your
> suggestion below as I understand you basically says, from a company stand
> point, IDS is not a solution? We were thinking in this line of using IDS
> along with IPS system too. We basically have nothing to inspect the high
> bandwidth usage or catching infection from mobile or desktops users and
> thought IDS and IPS would help. Your thought?
No .. IDS is not a "solution". Neither is an IPS (note .. IPS is an
improvement on IDS .. the key is the 'D' being 'detection' and the 'P'
supposedly meaning 'prevention'). The reason for this is you can't
expect a network device to "protect" you from an attack due to
administrative laziness or inepetitude.
Unless you put an IPS between everyone's NIC and their network
connection, you'll never have *enough* of them to completely cover your
network. Things will sneak in .. but an IPS may help them from spreading
Like any security *gizmo*, an IPS/IDS/Firewall/etc is just another piece
of the puzzle .. but the *most* important piece is admins that know,
understand, and religiously implement security on every system they
Now .. as for catching infections on mobile/desktop users .. you'll do
well with most IDS/IPS products .. but remember .. in both cases, you're
only idenfitying the problem. With the IPS, you're preventing it from
going PAST the IPS, but not preventing it from infecting others on the
same subnet, etc.
If bandwidth regulation is your objective .. you'd be much better off
with something like Packeteer -- which many of us use to keep a lid on
Kazaa/Bittorrent -- and to great success.
There are numerous ways to defeat an IDS/IPS .. to work, it's got to be
able to "see" the traffic .. and there are any number of ways to defeat
that (encryption, packet fudgery via fragrouter, et.al, etc). I don't
disagree that getting one is a good idea, just don't "sell" the idea to
your management/finincial folks with the idea that "once we install
this, we'll never have any more viruses" -- because that's just not true.
Michael Holstein CISSP GCIA
Cleveland State University
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/