I don't see it specifically as an issue of accessing content that would be blocked. Any user of Triangle Boy may simply wish to get content anonymously. They may not want the school to watch them go to even permitted sites. We cannot assume that these students are only using it to access forbidden things. There is a use for privacy beyond anonymously downloading "inappropriate content".
It isn't a matter of configuring your IDS that makes your life peaceful, it is understand what is normal on your network. The fact that you see 3000 of something that your IDS says is attack xyzzy doesn't mean that one of those couldn't be real. You cannot simply ignore that attack if you have systems on your network that could be vulnerable to that attack.
You can tell the IDS to ignore everything that for which you do not support the vulnerability. What you are left with is hopefully a more manageable set of possible attacks. On those remaining alarms you have to learn what is normal for your network in order to detect a real attack. You need a way to pull the signal, i.e., the real attack, from the noise of the backdrop of false positives.
Sure, I can point you to a historical example of where a small number of motivated people without training and with inferior weapons held off a superior force: Warsaw and Lithuanian ghetto uprisings. Check out the book, The Avengers, by Rich Cohen.
Or if you want an even better education, read the book Unintended Consequences by John Ross and Timothy Mullin.
Slashdot Mirror
I don't see it specifically as an issue of accessing content that would be blocked. Any user of Triangle Boy may simply wish to get content anonymously. They may not want the school to watch them go to even permitted sites. We cannot assume that these students are only using it to access forbidden things. There is a use for privacy beyond anonymously downloading "inappropriate content".
It isn't a matter of configuring your IDS that
makes your life peaceful, it is understand what is
normal on your network. The fact that you see 3000
of something that your IDS says is attack xyzzy
doesn't mean that one of those couldn't be real.
You cannot simply ignore that attack if you have
systems on your network that could be vulnerable
to that attack.
You can tell the IDS to ignore everything that for
which you do not support the vulnerability. What
you are left with is hopefully a more manageable
set of possible attacks. On those remaining alarms
you have to learn what is normal for your network
in order to detect a real attack. You need a way
to pull the signal, i.e., the real attack, from
the noise of the backdrop of false positives.
Sure, I can point you to a historical example of where a small
number of motivated people without training and with inferior
weapons held off a superior force: Warsaw and Lithuanian
ghetto uprisings. Check out the book, The Avengers, by Rich Cohen.
Or if you want an even better education, read the book
Unintended Consequences by John Ross and Timothy Mullin.