The Problem:
Current IDS implementations lack one critical ability: The ability to react
intelligently. They are very happy to warble, chirp and scream that there has
been an intruder, but they don’t DO anything, other than just annoy the Jailer, er,
security person. Worse than this, with signature based IDS, there are many false
alarms. Error rates of upto 60% have been seen by this analyst. Current “active”
methods of altering firewall rulesets, session sniping and the like are just too
primitive to be trusted. All an intruder has to do is send a barrage that looks like
it came from your DNS server, and you are in a far worse situation than if you
were just “watching.” In addition to this, session sniping doesn’t work very well
with pesky ICMP, IGMP and UDP.
Network based NIDS are the second problem: Alone they cannot see what is
going on behind an encrypted tunnel. They are subject do dropping packets on
high-speed links. They are subject to being “blinded”, faked out, and just too
annoying so that the become ignored. Signature maintenance is a nightmare in
that “tuning” the IDS requires countless hours of finding out what signatures are
“stupid” and need to be terminated, and which ones are “good” and need to be
kept.