Future Of IDS

← Back to Stories (view on slashdot.org)

Posted by Hemos on Wednesday December 5, 2001 @05:12AM from the where-will-development-go dept.

A reader wrote to us about a summary article regarding IDS^?. This is an interesting article in so far as it attempts to prognosticate what the future will be for detection, and that draws in some interesting work on security modelling. T: Readers may also want to see this vnunet article on IDS products -- guess what comes out on top?

2 of 125 comments (clear)

Min score:

Reason:

Sort:

a great management console for Snort... by jabbo · 2001-12-05 05:39 · Score: 1, Redundant

See my earlier comment about ACID. Multisensor correlation and alert grouping, emailing of packet traces to offenders or CIO's, pretty much all you could ask for.
<p>
Try it. <a href="http://acidlab.sourceforge.net/">ACID homepage</a> You may be pleasantly surprised at how easy Snort is to scale up. I have numerous sensors, all in production, all logging on all interfaces, all the time, and haven't had any major incidents on my subnet. I credit this partly to having early warning of when some idiot tries to attack my boxen, as well as to using <a href="http://firedrake.org/thothproject/">Thoth</a > for host monitoring, which makes it trivial to check that all my daemons are up-to-date, and all kernel patches are installed.
<p>
Someone pisses me off consistently, they get blackholed. This is something I'd recommend doing by hand, of course, but for people whose business I don't need or want, it's a great way to end the problem right then and there. :-)
<p>

--
Remember that what's inside of you doesn't matter because nobody can see it.
Future of IDS by lamj · 2001-12-05 10:54 · Score: 0, Redundant

In the article from Vnunet, what is "Top performer" in terms of ability of detect packet before dropping them (amount of traffic)?

I recently qualified as SANS GCIA, in my opinion, there is a lot of room for improvement in IDS. Other than the points mentioned in the articles, I would like to bring up a point about invasion and evasion attack on the NIDS, it is hard to deal with, HIDS is the real solution to this problem. However, everyone knows the difficulty in implementing HIDS across the network...... It would be great if they could do something about it. (ie. NIDS knowning the TCP/IP stack of the client machine)

Also, there are some attacks that will not be detected by NIDS because of their nature, we are back to the old style of traffic analysis. In some occasion, it can be solved by implementing "state" in the detection engine but this will makes things EXTREMELY slow.

There were earlier comments about IPsec killing IDS, I think this only depends on how you implement your IDS, for the network-network IPsec, you might have to put the IDS behind the gateway if you wanna do analysis. IDS still has a value in the network.

I find most people think IDS as a simple technology and should be easy to implement, it can be true if you only monitor a small network, when you have a large network and lots of traffic, it can get very messy.