The biggest problem with IDS in general is the signal to noise ratio. (NIDS has problems of being desequenced rather easily too...) Your little linux box with a compression horn attached would be going off constantly without good properly configured software to determine what is "intrusion" or prelude to malicious activity. After a while, people would tune it out....probably walk over and unplug the thing. I think the point is as far as IDS is concerned, it's a comprehensive suite of tools that work at different levels, all with the goal of acheiving increased security and reliability of systems protected. By using proper auditing of hosts, host based IDS (tuned so that it does not false positive too often), and combining that with network IDS (also tuned appropriately) you should be able to reduce the signal to noise ratio while still maintaining adequate security. I think the CYA factor of having best of breed security solutions in place, versus a Linux Box with police lights and an OOGAH klaxon is pretty obvious. BTW, the Host based IDS on Windows systems is not just an "after the fact" type solution as was previoulsy mentioned here. The latest hids systems will monitor filesystem changes in realtime and log to a secondary logging device which makes it hard for a cracker to cover his tracks made while installing his favorite root kit. Certainly, knowing your enemy by following the BlackHat conferences like DefCon is a good idea....but consider that often your worst enemy is from within and often someone that makes a "change" to a system without proper testing or "change control" practices. Host based IDS goes a long way towards implementing change controls for "authorized" technicians. No firewall or network based IDS is going to help you there....Somehow I doubt the Linux based OOGAH box is going to help me with rogue NT administrators either. There is no "one tool" fit's all solution available AFAIK. ----- Original Message ----- From: "mht" <[EMAIL PROTECTED]> To: "Carl E. Mankinen" <[EMAIL PROTECTED]>; "Ron DuFresne" <[EMAIL PROTECTED]> Cc: "Jose Nazario" <[EMAIL PROTECTED]>; "Ken Seefried" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; "Crumrine, Gary L" <[EMAIL PROTECTED]> Sent: Wednesday, March 07, 2001 4:56 PM Subject: Re: IDS > It isn't about what tool is better, but what software/hardware security > packages best fit the particulars of the networked > environment/architecture. IDS, Integrity checkers, why spend money, when > little Radio Shack speakers can be hooked up to a Linux box, and configure > syslog to blurt out "RED ALERT" everytime someone tickles the finger port.. > :) > > stubs, remapping of ports, kernel tuning, takes the gooey stuff/attractive > stuff away from any would be intruder who really wants to get at the > company's jewels. > Why spend money on something like TripWire HQ Connector when one can simply > contract out to go around club people where it counts. Simpler than > reading the manual and a lot less expensive than hiring some security > infosec jocky who thinks that reading William Gibson and having license > plates that read "HACKR" impresses anyone except those Media people and > DefCon groupies.. :) > > FWUMP, sorry, boy this IDS cynic soapbox is slippery this morning.. :) > - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
