|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: False Sense of Security?
From: Frank Knobbe (FKnobbe
KNOBBEITS.COM)Date: Thu Nov 16 2000 - 16:42:29 CST
- Next message: Bennett Todd: "Re: False Sense of Security?"
- Previous message: Dragos Ruiu: "Re: Why bother with IDS (was Re: False Sense of Security?)"
- Maybe in reply to: Jacob Martinson: "False Sense of Security?"
- Next in thread: Brian Caswell: "Re: False Sense of Security?"
- Next in thread: Bennett Todd: "Re: False Sense of Security?"
- Maybe reply: Frank Knobbe: "Re: False Sense of Security?"
- Reply: Brian Caswell: "Re: False Sense of Security?"
- Reply: Dragos Ruiu: "Re: False Sense of Security?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -----Original Message-----
> From: Joe Shaw [mailto:jshawINSYNC.NET]
> Sent: Thursday, November 16, 2000 1:37 PM
>
> [...]
> Well, there are really two types of Network IDS philosophies. One
> is what's commonly referred to as Attack Detection. [...] Attack
> Detection generally places IDS as close to the perimeter of your
> network as possble, generally in front of the firewall. This is
> kept more for pretty graphs and pie charts so you can show
> management that all that money they spent on IDS and other security
> software/services is actually worth something, because in the
> business world there's no real way to attach a tangible ROI to
> security. You don't really react to this data as much as you do
> Intrusion Detection data because you'd spending all day dealing
> with these alerts, and in a perfect world you've patched all your
> machines for them and the firewall blocks most of the traffic
> anyway. [...]
That depends. You can have _your systems_ react to it. For example,
I'm running snort as an IDS inside the network and as an ADS in front
of the firewall. Any source that tries something that they shouldn't
(i.e. simply portscan) will trigger an event that automatically
reconfigures the firewall so that the source is completely blocked
for a specified time.
Commonly you have some services open, for example SMTP or web. If
someone scans your machine, you can have the firewall close all ports
(incl. SMTP) for that source to avoid any nasties coming from that
source. Just like that flower that closes when you touch it (Mimose?)
Regards,
Frank
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.
iQA/AwUBOhRi1URKym0LjhFcEQIDYACfUvS1zXQojDo5K/F8KYmCTYXjvuAAn0nh
GjKDHz/fnGdq3KTwaHIgN4wK
=DGPO
-----END PGP SIGNATURE-----
- Next message: Bennett Todd: "Re: False Sense of Security?"
- Previous message: Dragos Ruiu: "Re: Why bother with IDS (was Re: False Sense of Security?)"
- Maybe in reply to: Jacob Martinson: "False Sense of Security?"
- Next in thread: Brian Caswell: "Re: False Sense of Security?"
- Next in thread: Bennett Todd: "Re: False Sense of Security?"
- Maybe reply: Frank Knobbe: "Re: False Sense of Security?"
- Reply: Brian Caswell: "Re: False Sense of Security?"
- Reply: Dragos Ruiu: "Re: False Sense of Security?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]