Security Portal: Some thoughts on (network) intrusion detection systemsJan 16, 2000, 16:24 (0 Talkback[s])
(Other stories by Kurt Seifried)
"Last week I did a general overview of IDS systems and anti-virus software, and why they may not be the answer. Well in some respects they aren't and in some they are. But I think the main issue is the current model of intrusion detection (be it host or network based, looking for bad packets or data in the case of anti-virus software) is flawed (and the alternatives have a ways to go). Now to back up that statement so I don't get flame roasted."
"Let's take a system like Network Flight Recorder for example (and don't get me wrong, as current NIDS systems go, NFR is one of the best on the market), NFR hoovers up all the traffic and can log it and compare it against a set of rules (modules actually) to see if any matches known attacks. NFR can also have multiple detection units that report to a central authority, so you can detect scans more reliably. So like most people you have a pretty diverse network, some Solaris, some Cisco, some NT, and so on and so forth. If you want to detect as many attacks as possible, you need to load all the modules available, resulting in slower performance, because NFR is literally doing more stuff. This will also result in the highest number of false positives, which will require you to spend a lot of time "filtering" manually...."