Le mar 23/09/2003 � 10:01, Philippe Bogaerts a �crit : > I totally agree. An IDS for auditing firewall or other policies can be > usefull, if properly configured.
Agree. In conjunction with a conventional audit or open pentest, a well configured IDS framework can point where security policy is broken. > I simple hate the fact that most vendors > position their IDS product as an attack blocking device. The only thing they > can is actually RST tcp connections (sometimes). My opnion is that is quite > a simple and basic method for doing attack blocking. It is a simple and basic one, but sometimes ineffective. Juste think of Slamer that uses a single UDP packet to replicate. Even if your IDS can detect this, it is already to late. The thing I really hate is IDs vendors that come to you with a "my IDS can do all the blocking stuff for you". I went to an IDS demo with an old badly configured FW1 firewall, a IIS 4 webserver and a root'o'matic WuFTPd. First part, cracker can go through and root everything. Second part, I plug my IDS sensors, enable FW1 plugin, and see, all attackes are blocked ! You're now secure. I hate this. I really do (and people from this IDS vendors seems to hate me as well now ;)). -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
