“Last week I did a general overview of IDS systems and
anti-virus software, and why they may not be the answer. Well in
some respects they aren’t and in some they are. But I think the
main issue is the current model of intrusion detection (be it host
or network based, looking for bad packets or data in the case of
anti-virus software) is flawed (and the alternatives have a ways to
go). Now to back up that statement so I don’t get flame
roasted.”
“Let’s take a system like Network Flight Recorder for example
(and don’t get me wrong, as current NIDS systems go, NFR is one of
the best on the market), NFR hoovers up all the traffic and can log
it and compare it against a set of rules (modules actually) to see
if any matches known attacks. NFR can also have multiple detection
units that report to a central authority, so you can detect scans
more reliably. So like most people you have a pretty diverse
network, some Solaris, some Cisco, some NT, and so on and so forth.
If you want to detect as many attacks as possible, you need to load
all the modules available, resulting in slower performance, because
NFR is literally doing more stuff. This will also result in the
highest number of false positives, which will require you to spend
a lot of time “filtering” manually….”