[Snort-users] re: 1. Network World IDS report (Jason Haar)

Detmar Liesen counter.spy at ...348...
Thu Jun 27 13:05:04 EDT 2002


Some days ago I told people who wanted to do benchmarks with IDS to leave
such
testing to the "hard-core" people of NSS and Network World (RealWorld Labs),
because those people have the time, skills and experience to do so properly
(I thought).

Well, now I think I have to change my opinion about the Network World folks
a little bit.
Setting up vanilla systems in a live environment really is a joke.

If I did something like that, I think I'd get clobbed by a good few persons
and
loose my job (well I have to look my first real IDS job now anyway, but I
think it would be no good reference for an application ;)). 

You cannot do something like this - it's too dangerous -  for other sites.
As far as I know you are responsible for securing your systems from being
misused as a launch pad for attacks *by law*.

But I also have to admit that the report has some important message in it:
-IDS systems have to be (and can only be) set up and tuned by skilled people
 and it takes time to do so. 
-IDS deployments needs constant learning.
-Also the alerts have to be analyzed by skilled and trained people.
-IDS administration and monitoring is a full-time job, if you want to do it
properly.


This leads me to the question:
What did the Network World tests actually attempt to achieve?

I just guess, that they wanted to tell non-IDS people (e.g. IT executives)
that 
you cannot just setup an IDS and think you're secure now.

You need trained personnel that has got the time and skills to tune the
system and
analyze events constantly. You also have to know your network really good.
(As a matter of fact, I learned the topology of our perimeter network mainly
by 
analyzing events from Snort/ACID).

They are also right that there are still many improvements necessary in
IDSs.

But all this isn't really new to anyone on this list, I think.

Begin next week I will publish my IDS criteria catalog (I didn't manage to
finish
it this week, sorry).
This should help people finding out what features and criteria for
enterprise-wide or
network-wide IDS deployment are important.

Just my 2 cents.

Cheers,
Detmar

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list