I completely agree. If you are doing anomaly/heuristics
based detection then you would need to have a baseline.
Just in my own experience (*points at the bags under the
eyes*), I don't really bother with IDS/IPS. Others I work
with still do and that is fine, but it is a full time job
to chase ghosts. To each their own. :)
I sleep better knowing I audit my stuff and lock things
down. It actually kills several birds with one stone
(aspca wont like that analogy). I find things that I did
not know people installed. I fix sysadmin boo-boo's and
can further document what is running where. It also helps
me find ahead of time applications that were not coded
well and can not withstand a lightweight audit. I can
then work with developers to improve their applications
and dig deaper into application security. This in my not
so humble opinion is a more efficient approach, as it
catches weaknesses that network devices can not predict or
safely negate without impacting business flow.
But hey, selling network devices means more money changing
hands and more jobs so I won't complain. Funny money is
still money. :)
--Aaron
On Sun, 16 Apr 2006 17:31:37 +0200
Stefano Zanero <[EMAIL PROTECTED]> wrote:
Aaron wrote:
To add to (or take away) from this thread, I would
further mention that
IDS/IPS regardless of make or implimentation, will only
see the past,
not the future.
You may wish to notice that this is true, but a problem
only for misuse
based devices. Anomaly based devices, on the contrary,
use the past as a
way to detect anomalies into the future, and therefore
are less
sensitive to the zero-day/unforeseen attack problem.
Stefano
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
