This comparison is not fair and not even close. First of all an IDS is a tool. It is a tool to be used by experienced people. Would you hire someone to maintain your Cisco network that had never maintained a CIsco router? How about someone to manage your firewall who didn't know firewalls. False alerts are usually not really false alerts. If an attack or a probe does not succeed I stil want to know that the attack took place. It identifies *intent*. In many cases the rest of the false alerts that are just calling out network activites can be tuned out. If you dont know how to do that then learn:) The idea that an IDS makes the decision that something is interesting or not is a scary proposition and all it will do is lead to more insecurity. Bite the bullet and hire someone for their *expertise* and *skill* and stop looking for pipe dreams of a security system that will tell your non-technical people you are in trouble...
Ok, little lesson in networking and NAT/PAT. If I use the DSL providers router, throw a NAT/PAT device such as a linux box running IPTables or a Pix firewall behind it, (you do run a firewall right?) there is no way for the ISP to know how many machines I have behind it. They may be able to guess there is more than one based on trend analysis or bandwidth usage but thats just a guess and I doubt they would invoke their TOS against a paying,(they are in business to make money:), user based on a guess.
NAT = Network address translation. Each IP behind the device is mapped to a public IP. Yes, even icmp replies and e-mail headers.
PAT = Port Address Translation (more common). Each outgoing connection is assigned a port on the firewall device. This means that 100 machines would look like one. Again, yes, even mail headers and ICMP.
MAC address: The mac address will never give you the machine that sent the packet unless you are on the same subnet. The source mac is *always* the mac of the last hop. This is how networking works.
So in otherwords. Unless he gets really stupid he will never get caught.
Slashdot Mirror
This comparison is not fair and not even close. First of all an IDS is a tool. It is a tool to be used by experienced people. Would you hire someone to maintain your Cisco network that had never maintained a CIsco router? How about someone to manage your firewall who didn't know firewalls. :)
False alerts are usually not really false alerts. If an attack or a probe does not succeed I stil want to know that the attack took place. It identifies *intent*.
In many cases the rest of the false alerts that are just calling out network activites can be tuned out. If you dont know how to do that then learn
The idea that an IDS makes the decision that something is interesting or not is a scary proposition and all it will do is lead to more insecurity.
Bite the bullet and hire someone for their *expertise* and *skill* and stop looking for pipe dreams of a security system that will tell your non-technical people you are in trouble...
Ok, little lesson in networking and NAT/PAT. If I use the DSL providers router, throw a NAT/PAT device such as a linux box running IPTables or a Pix firewall behind it, (you do run a firewall right?) there is no way for the ISP to know how many machines I have behind it. They may be able to guess there is more than one based on trend analysis or bandwidth usage but thats just a guess and I doubt they would invoke their TOS against a paying,(they are in business to make money
NAT = Network address translation. Each IP behind the device is mapped to a public IP. Yes, even icmp replies and e-mail headers.
PAT = Port Address Translation (more common). Each outgoing connection is assigned a port on the firewall device. This means that 100 machines would look like one. Again, yes, even mail headers and ICMP.
MAC address: The mac address will never give you the machine that sent the packet unless you are on the same subnet. The source mac is *always* the mac of the last hop. This is how networking works.
So in otherwords. Unless he gets really stupid he will never get caught.