Dear all,
I understand that IDS is a pretty new technology aiming to detect,
monitor and responds to different type of attacks at a network level.
The idea is excellence when combining firewall to form an integrated
security solution.
However, I wonder the effectiveness that the IDS is claimed to perform.
I saw many cases that internal network, mostly web server, is still
hacked even there is a IDS to look after. The problems usually are as
follows:
1. Too much false alert generated by the IDS. Hundreds of alert
notice coming out that administrator is so confused to identify which
one is a real attack. If he/she choose to respond each of the alert by
blocking or killing the session, I am sure the network will not
functioning properly.
2. Without good tuning mechanism for the IDS, there is a chance the
network is still hacked before you get right notice from the IDS. Thus,
the IDS is served as a logging system for you to trace back the attack
rather than to protect you initially.
3. IDS may not be able to capture all packets to analyze if the
network is reached to certain level of congestion. Thus, False negative
result is obtained.
4. Attack signature may not be up-to-date for the IDS.
Is anyone can share with me a right mechnaism to manage the IDS
effectively ?
Cheers !
Keith
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
