What is Digg?33 Comments
- inactive, on 10/12/2007, -0/+10Heuristics don't work anymore despite what the vendors tell you, the reason is simple - the bad guys have copies of all the major AV software and test their malware against them...when they don't get caught by a signature or heuristics then they release it.....
- lithiumsystems, on 10/12/2007, -2/+12"Anti-virus systems are only good at detecting viruses they already know about."
There are heuristic and behavioral analysis technologies to detect unknown threats. ;) - sirloin, on 10/12/2007, -0/+6true but if you look at antivirus programs you will see not all heuristics are the same.. shoot even there are a wide variety of detection rates for virus scanners. There are also kinds of holes and intrusions that wont st off a virus scanner but an ids will still see. So having a system with heuristics isnt as secure as a system with ids as well
- DogNo7, on 10/12/2007, -0/+3Last time I did a security implementation, we did IDP, Intrusion Detection and Prevention. The problem with IDS is that it doesn't prevent intrusions, requires monitoring, and regular IS staff in most small to mid sized companies can't dedicate eyeballs to this process.
An IDP will automatically respond to intrusions and acts as an additional layer to a firewall. The responses can be tiered and selectively applied to different types of attacks.
Worked well, and needed very little hand holding. Good reporting functions were also available. - cru99, on 10/12/2007, -0/+3Thanks for posting, people never think about that, but it's important....dugg
- sirloin, on 10/12/2007, -0/+3Besides having an ids or ips on a separate system can show you if your antivirus has been compromised.
- c0ckr0ach, on 10/12/2007, -0/+3TippingPoint sucks. In bake offs they were constantly evaded using some well known techniques (fragmentation, overlapping fragments, etc.). Rather than fix their engine to handle these techniques they just created a signature to flag the most common tool used in the bake offs, Metasploit. This made it look like they could handle evasion techniques, but in the end any other tool or even Metasploit with a different exploit module easily got around them. At least they know how to market their junk.
- Mutiny32, on 10/12/2007, -0/+3Oh really? What what, may I ask, has replaced it?
- inactive, on 10/12/2007, -0/+3Best practice is to use an IPS in IDS mode and then start to turn on the blocking for the obvious bad stuff (generally detected using signatures) and then start blocking whatever is of concern as a result of more exotic methods of detection (e.g. statistical anomoly/DoS etc).
There are many good products out there that can do this, but as a poster said earlier pure IDS i.e. not blocking anything is just too much of a reactive approach to take these days.
One final thing, IPS is NOT the cure all - you still need multiple layers of security..... - inactive, on 10/12/2007, -0/+2If you want to learn more then SNORT software is free and used by most for detection - http://www.snort.org/ (if you pay for the premium service you just get the signatures a little early). This system is purely based on signaures which won't be able to necessarily detect unknown attacks.
If you want to buy something then the NSS group is a good place to start - they have some free to download reports http://www.nss.co.uk/ - kd1s, on 10/12/2007, -0/+2The problem with IDS systems is that they require a small hub so that the sniffer can watch the traffic. That's a single point of failure. What's worse is that the high end IDS systems have the hub built in so if it fails the whole device is pretty much useless.
We were talking about this at work the other day. I suppose I hub is cheap enough and all but it's just having the point of failure that leaves a bad taste. - inactive, on 10/12/2007, -0/+1it's possible for some IPS's to recognise virtualisation by watching the traffic going via a particular VLAN rather than ip range, mlps networks give most of them problems however.
- sirloin, on 10/12/2007, -2/+3I wish i could bury you as lame, ips uses ids.. so while they are better, they are more of an addition rather than a replacement. sure you can get a complete standalone ips, but it has a built in ids.. otherwise it wouldnt work.
Not sure why you have to bury a perfectly good article just cause you think you are smarter than the writer and please tell me which ids they are selling - DatDamWuf, on 10/12/2007, -0/+1buried, no Open Source - ignores the best - SNORT
- dexman, on 10/12/2007, -0/+1BURIED... MORE SPAM FROM ISECURITY.COM
IDS/IPS are hores and buggy technologies. - CountBrass, on 10/12/2007, -5/+6This "article" is just a blatant ad' for a paper you have to pay for.
Dugg down. - CARPEDATAM, on 10/12/2007, -0/+1LET ME CORRECT MY LAST POST:
IDS IS FOR DUMMIES. - reitveld, on 10/12/2007, -0/+1Has anyone read any reviews of IDS software? I'd like to check them out, however I like to read the reviews prior to installing any software.
- inactive, on 10/12/2007, -0/+1@Colingrady
Nothing personal but...
I always laugh when I hear the phrase "fail open"....who in their right mind would have a firewall fail open?
No-one ... so why would you want an IPS to fail open? The reason I laugh is because it shows how little faith people have in IPS technology :) - CARPEDATAM, on 10/12/2007, -0/+1Virtualization will kill IPS by eroding the efficacy of signatures tied to physical location. So... in addition to processing ceilings driven by signature detection... IPS faces irrelevance driven by circumnavigation.
- EXreaction, on 10/12/2007, -2/+2When software is "mainstream" it is used by far more people than everything else. Thus security flaws and bugs are found much faster than other software.
So by that I can say that a mainstream application is far more secure than a non-mainstream application, even if the mainstream application has some known vulnerabilities(as long as the methods are not widely known and can be done by someone with no more than average computer skills). But a threat that large would be fixed within a few days tops.
To sum it up: What you don't know can still destroy you. - Psygnosis, on 10/12/2007, -1/+1It might be an interesting article, but I stopped reading right there.
- ropers, on 10/12/2007, -0/+0Read my lips: **Where's the beef?**
(Ok, I'm actually a vegetarian, but anyway.)
That article is absolutely devoid of useful/new/technical information.
Dugg down. - colingrady, on 10/12/2007, -0/+0I guess I should also mention that the inline IDP/IPS devices and network taps almost always allow for a fail-open scenario, where if the IDP/IPS or network tap fail, network traffic continues to get passed and there is no network outage associated with it.
- colingrady, on 10/12/2007, -0/+0Except that a "small hub" is not required, and is rarely used in IDS implementations. I'm willing to be the most common implementations of IDS utilize port mirroring (a SPAN, RSPAN, etc) on the switch instead. No need for additional hardware, as pretty much all enterprise switches support this configuration. An alternative is to install a network tap, which sits inline and essentially copies the network traffic to be passed to the IDS or sniffer. I've also never known a "high end IDS system" to have a built in hub -- though it's not uncommon for IDP/IPS systems to be placed inline, which I guess is kind of what you might mean.
- flake, on 10/12/2007, -7/+5Thinnly veiled sales pitch... Buried lame. Far better are IPS, Intrusian Prevention Systems. Much the same as IPS, but sits in line with your net connection, outside the firewall. Pretty much, it's a Application Layer packet filter. The only thing that get's around is SSL encrypted streams. Tippingpoint is a good example.
- omghi2u2, on 10/12/2007, -4/+1"A firewall has got holes..."
To read this article you first need to read 'Ebonics for Dummies'. - diggsIt, on 10/12/2007, -7/+2IDS isn't dead. The Bears will be dead after the Saints have their way with them today, though.
- ank0, on 10/12/2007, -7/+1ids is dead
- vash469, on 10/12/2007, -8/+1next time post a site that you dont have to sign up to read the articles BURIED
- MikeTheC, on 10/12/2007, -12/+1I'm glad I don't use the "mainstream" OS that most others use.
Nothing to see here. Move along.
Check out the new & improved 
© Digg Inc. 2009
— Content created and posted by Digg users is