Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: When to do something about detected at

Re: When to do something about detected attacks (was Re: how to do...)

Thu, 16 Apr 1998 00:15:31 -0500 (CDT)

> One of my biggest criticisms of IDS's, security scanners, and security
> programs in general is that they look for security problems, rather than
> gathering information and process it with a security mindset. The

I think this is a poor generalization. Security scanners don't necessarily
"look for holes instead of valuable configuration information"; they tend
to look for both. The problem here is that you can't always (or even
usually) analyze general configuration information and accurately obtain a
picture of which vulnerabilities are present.

You can collect "general" information such as the network topology,
operating systems of all the machines, and the services they run, and
"process it from a security mindset" to say "suchandsuch a machine is
probably vulnerable to this problem". The information you obtain from this
type of analysis is probably going to be inaccurate. The need for accurate
results is what drives tools like misuse detectors and security scanners
to look for known patterns of abuse or vulnerability (respectively).

A valid criticism (and this may be the criticism you are making) against
these types of systems is that they don't do enough analysis of the
information they obtain and don't report the general information (rather
than the specific low-level vulnerabilities) well enough. This is
different from the question of whether the information is collected at
all, though.

Thomas H. Ptacek Secure Networks, Inc.
http://www.enteract.com/~tqbf "mmm... sacrilicious"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:47 CDT