Looks like you hit the nail on the head Kevin i.e., all's quiet on the front
it seems ;).

Thus far, IDS developers have provided central management for distributed
IDS. Wow...

How long before we hear that this type of functionality, you have only
scratched the surface of, is close to release in an integrated fashion?
Communication between single vendor IDSs is limited to things like uploading
system configuration and other update data, and downloading collected IDS
data, whether pre-processed or not.

In the longer term, the IDS industry might even be able to actually get it's
act together enough to integrate dissimilar IDS products for the purpose you
describe. There is a lot of research which has pointed to this direction for
a number of years now, but still there don't appear to be any "real"
innovations in this area for COTS IDS. Many have been rolling there own, in
one way or another, forever.

The CDIF promised some early hope that this would be realized in a
reasonable timeframe. I haven't heard a peep out of that community, nor the
IETF, since the infamous "demo" CIDF experiment a long while ago. I think
you can attribute the lack of uptake to the various marketing folks, but I
wouldn't discount some backroom secret work going on, that some day might
surprise us! Anyway, it would be interesting to hear from ANY of the head
IDS honchos in this regard.

P.S. I'm not holding my breath either...

mgr

Mike Ruscher, ITS Specialist I2, CSE/CST
mgruschercse-cst.gc.ca
Phone: +1 613 991-8040
ED/C200
http://www.cse-cst.gc.ca

> -----Original Message-----
> From: Kevin D [mailto:kdlistsMTSOLUTIONS.NET]
> Sent: Monday, April 02, 2001 11:18 AM
> To: FOCUS-IDSSECURITYFOCUS.COM
> Subject: multiple IDS layers - a new paradigm?
>
>
> One of the recurring topics I have been seeing on this list
> is the concept
> that signature-based IDS's aren't too "bright." I have an IDS
> built into my
> firewall as my first line of defence, and the only thing that
> I use it for
> is a place to find out more info after I know a system has
> been breached.
> This is because I get numerous false alarms on a daily basis.
>
> Some have suggested security layouts that include a firewall
> as the first
> line, then an IDS, thereby filtering most false alarms before they can
> trigger the IDS. I am not an expert in the security field,
> but I'd like to
> make a suggestion that expands on this concept.
>
> Instead of having separate layers of IDS's that don't know
> what the other is
> doing, how about setting up multiple IDS's that communicate
> with one another
> to trace exploits? The firewall IDS could log all exploit
> attempts into a
> database. The second-level IDS could track all exploits and
> compare them to
> the firewall's database. A third component could watch
> incomming connections
> on individual systems and check these against the combined IDS's and
> firewall's databases. Another component could watch for changes on
> filesystems (ie tripwire), and check these changes against the common
> database.
>
> It seems to me that the obvious way to make these systems
> "smarter" is to
> make them all work together. Does this sound right?
>
> Kevin
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]