From: Lior Tal (liorus-path.com)
Date: Tue Dec 02 2003 - 11:49:30 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rob,
I had no intention to say or insinuate that since Snort is reactive it
is of less value. I had only questioned the ability of a passive
solution to perform what is indicated on SourceFire's web site. Discover
ALL DEVICES, ALL SERVICES AND ALL PORTS. That sounds a bit difficult not
to say impossible. Therefore additional statements in this material, and
again I do not mean to offense any person or company, sounds inaccurate
at best. "Passive VA" - if it is impossible to detect all devices
properties, how can you tell its vulnerabilities? Providing partial
information in that context sounds like "half pregnant woman".
"Eliminate false alarms" - again if you can not tell the detailed
information about a device and in real-time, it sounds like impossible.
I truly think NIDS are a must in every network and that snort is
apparently the most deployed one.
I look forward to hear your thoughts.
Lior

-----Original Message-----
From: Rob Shein [mailto:shotenstarpower.net]
Sent: Tuesday, December 02, 2003 6:45 PM
To: 'Renaud Deraison'
Cc: 'Lior Tal'; focus-idssecurityfocus.com
Subject: RE: SourceFire RNA

I wouldn't say "reactive security practices don't work." There's
absolutely
no way to cover all the bases in advance, and that's just how life is;
you
have to have a reactive capability to be secure. Relying entirely on
reactive measures is a bad idea, but that's true of almost any aspect of
security. To rely solely on proactivity is also insufficient, but that
doesn't mean that being proactive is bad. The point here is for a
system to
learn about a network without 1, making itself apparent on the network,
and
2, possibly disrupting the network with traffic that it generates. In
very
large environments, it is theoretically possible that one machine may
remain
quiet and be overlooked until it gets a hostile probe...but does that
mean
that the added protection given to the other thousand hosts is now worth
nothing, just because Snort is reactive?

> -----Original Message-----
> From: Renaud Deraison [mailto:deraisonnessus.org]
> Sent: Tuesday, December 02, 2003 11:36 AM
> To: Rob Shein
> Cc: 'Lior Tal'; focus-idssecurityfocus.com
> Subject: Re: SourceFire RNA
>
>
> On Tue, Dec 02, 2003 at 10:46:48AM -0500, Rob Shein wrote:
> > The answer to this is simple. All machines make some kind
> of noise on
> > the network, from an IDS-centric view. If the machine doesn't have
> > any interaction, ever, with anything, then it's not really
> important
> > from the IDS point of view, because it can't be breached WITHOUT
> > interaction. Even if the first traffic involving that
> machine is an
> > attack or scan, at that point the machine becomes at least
> as visible
> > to the IDS as it is to the attacker.
>
> Waiting for an attack is not necessarily a good strategy
> either - just think about all the worms that have been
> plaguing our last summer vacations these last few years.
>
> Reactive security practices simply don't work. If the host
> does not interact with the rest of the network, that does not
> make it more begign than any other one on the network - quite
> the contrary actually, as it suggests that it never
> downloaded any patch.
>
>
> -- Renaud
>
>

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]