Linux Position at my company
William Park
opengeometry-FFYn/CNdgSA at public.gmane.org
Wed May 25 15:39:23 UTC 2011
>________________________________
>From: Mike Kallies <mike.kallies at gmail.com>
>To: tlug-lxSQFCZeNF4 at public.gmane.org
>Sent: Wednesday, May 25, 2011 11:03:59 AM
>Subject: Re: [TLUG]: Linux Position at my company
>
>On 5/25/2011 10:33 AM, Lennart Sorensen wrote:
>> I keep wondering if I am the only person that doesn't believe in IDS as
>> a useful concept. :)
>>
>> As far as I see it, if you can detect something is bad, then you could
>> have blocked it from ever being allowed in by the firewall in the
>> first place.
>>
>
>I half-agree. IDSes should be deployed inside the perimeter, let the
>firewall lop off the noise from the Internet... but IDSes are essential
>for large networks. When you're inside the perimeter, you don't detect
>that something is bad. You detect that something requires further
>investigation.
>
>Other advantages:
>- Through portspans and taps, you're able to inspect what's going on
>inside the network and not just the perimeter.
>- You can see signature based information rather than inferring content
>based on port/protocol
>- Pumping the output into an event correlation engine can help raise
>priority on things like "if some guy was just portscanning the subnet,
>raise the severity of subsequent brute-force attempts"
Can you expand on "event correlation engine"? Any examples?
>
>Very little traffic is black and white these days.
>
>Note too that IDS doesn't make a lot of sense in-house because the size
>of the team to monitor the correlation engine 24x7x365 is very
>expensive. So industry standard practice is to deploy the IDSes/IPSes
>at the customer premises, and have a third party monitor the feeds.
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list