Because firewalls and other defensive security measures are not failsafe, you need additional tools to detect and respond to security breaches as they occur. A network analyser can detect known (and even some unknown) virus attacks and make the cleanup process much more efficient.
Using a Network Analyser as a Security Tool
Submitted by DTY 2005-05-27 Privacy, Security 3 Comments
This is a poorly written article on very good ideas. The terminology is wrong and the methods he discusses have already been addressed in the security world. If this was meant to be informative, this would do more harm than good by confusing termonology. IDS (Intrusion Detection Systems) do not prevent anything. I think he meant IPS (Intrusion Prevention System). And I wont comment on that, since the IDS vs IPS and prevention eventually failing topic has been a long and drawn out argument already in the security community. From what hes talking about, a “network analyser” is, in fact, an IDS engine (see SNORT). And the author doesnt even mention the cons of “network analysers”, false positives, requireing that an IDS be able to do full session captures, or at least packet headers, to assist in iventigating. I recommend reading “The Tao of Network Security”. It goes into much better detail about NSM, a security practice of using alert data, full transcript data, session data, and statistical data to aid analysts in detecting intrusions and policy violations. In the meantime, someone should tell the author to not paste buzz-words in an article to pretend to know what they are talking about.
Of course, this assumes that the virus and its signature have been seen before and incorporated the analyser’s list of packet filters.
This would have made his article considerable shorter.This is also true for anti virus and spyware tools.Most users are first bait and victim before the patterns can be updated.All running behind the facts.How many are unknown?
A skilled cracker most likely disguises his traffic as being legitimate,http,dns,etc-traffic.How will you catch that at peak hour amongst all other legitimate traffic?
“A skilled cracker most likely disguises his traffic as being legitimate,http,dns,etc-traffic.How will you catch that at peak hour amongst all other legitimate traffic?”
Thats the rub right there. Thats where he stops short of giving a reason for full session captures for further investigation. The problem with IDS system in general are false postitives. If a signature based system kicks off alerts, that doesnt mean it is an intrusion, only that it warrents further investigation. This guys article is about 10 years too late..