:Security Portal: Some thoughts on (network) intrusion detection systems
Security Portal: Some thoughts on (network) intrusion detection systems Jan 16, 2000, 16 :24 UTC (0 Talkback[s]) (4750 reads) (Other stories by Kurt Seifried)
"Last week I did a general overview of IDS systems and
anti-virus software, and why they may not be the answer. Well in some respects
they aren't and in some they are. But I think the main issue is the current model of
intrusion detection (be it host or network based, looking for bad packets or data in
the case of anti-virus software) is flawed (and the alternatives have a ways to go).
Now to back up that statement so I don't get flame roasted."
"Let's take a system like Network Flight Recorder for example (and don't get me wrong, as current NIDS systems go, NFR is one
of the best on the market), NFR hoovers up all the traffic and can log it and compare it against a set of rules (modules
actually) to see if any matches known attacks. NFR can also have multiple detection units that report to a central authority,
so you can detect scans more reliably. So like most people you have a pretty diverse network, some Solaris, some Cisco, some
NT, and so on and so forth. If you want to detect as many attacks as possible, you need to load all the modules available,
resulting in slower performance, because NFR is literally doing more stuff. This will also result in the highest number of false
positives, which will require you to spend a lot of time "filtering" manually...."
