[Gllug] compromised?

Tethys tet at accucard.com
Tue Feb 25 09:19:21 UTC 2003


James de Lurker writes:

>That increases by a big factor the window of opportunity for an IDS,
>or the application itself, to take appropriate action to curb the assault,
>of alert a human defender. It's just raising the bar.

Yes, so long as you're aware that it's not buying you any extra security,
just buying you a bit more time, then it's fine. BTW, be very wary about
allowing your IDS to take preventative action. By doing so, you're giving
crackers control over your firewall rules. Sure, it's limited access, but
it's usually still enough. If they run an attack with a spoofed source IP
of your upstreamprovider, you're in a whole world of hurt if your IDS has
decided to block that IP for you...

IMHO, NIDS have very little use. The only value they can really add is
if you discover you have a vulnerability, they can potentially tell you
if it was exploited before you fixed it.

Tet

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list