Linux Position at my company

John Miles jmiles242-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Thu May 26 19:15:38 UTC 2011


Actually, monitoring who is 'knocking on your door' from the external world
is a very useful part of what we do too.

On Wed, May 25, 2011 at 11:03 AM, Mike Kallies <mike.kallies-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>wrote:

> On 5/25/2011 10:33 AM, Lennart Sorensen wrote:
> > I keep wondering if I am the only person that doesn't believe in IDS as
> > a useful concept. :)
> >
> > As far as I see it, if you can detect something is bad, then you could
> > have blocked it from ever being allowed in by the firewall in the
> > first place.
> >
>
> I half-agree.  IDSes should be deployed inside the perimeter, let the
> firewall lop off the noise from the Internet... but IDSes are essential
> for large networks.  When you're inside the perimeter, you don't detect
> that something is bad.  You detect that something requires further
> investigation.
>
> Other advantages:
> - Through portspans and taps, you're able to inspect what's going on
> inside the network and not just the perimeter.
> - You can see signature based information rather than inferring content
> based on port/protocol
> - Pumping the output into an event correlation engine can help raise
> priority on things like "if some guy was just portscanning the subnet,
> raise the severity of subsequent brute-force attempts"
>
> Very little traffic is black and white these days.
>
> Note too that IDS doesn't make a lot of sense in-house because the size
> of the team to monitor the correlation engine 24x7x365 is very
> expensive.  So industry standard practice is to deploy the IDSes/IPSes
> at the customer premises, and have a third party monitor the feeds.
>
>
> -Mike
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20110526/9147f51a/attachment.html>


More information about the Legacy mailing list