The issue was using IDS on the desktop. You seem want to talk about something different. OK, you point is "I am to busy to stay on top of the patches." If you were "homeadmin", how many systems you would be responsible for? See the difference? That's not it. I am not done with you as sysadmin yet. The timing may vary but I hope you do realize that in automated environment the time frames we are looking at are hours not weeks. This includes both, BTW, desktops and servers. You confuse hardening security with hardening system and IDS is part of neither of those. Here is an excerpt from the article you're referring to which lists what hardening involves: 1. Configuring necessary software for better security 2. Deactivating unnecessary software 3. Configuring the base operating system for increased security Did it ever occur to you that Beale nowhere mentioned IDSs in the very article you were referring to? Yes, there is a risk for servers. And the servers should be hardened because of this. However, this is not applicable to desktops because, as a rule, you don't run on the desktop remotely exploitable software, with an exception of Internet software such as email clients and browsers. That kind of software must be patched immediately. And, BTW, IDS is not an appropriate technology to keep your browser and email client safe anyway. That's what Beale says. And below is how you continued: Oh boy, you are confused one. Beale is talking about how not to get hacked and you are talking about how to find out that you being or already got hacked. Let me just say that network based IDSs have nothing to do with hardening OS. It's not that the other types IDSs do but mentioning Cisco in this context is just hillarious. Correct. First, we were talking about desktops, not the networks full of servers. Second, dottom was not talking about hardening, which I confirm again, is very important but about IDS. You think that IDS is part of hardening and that's where you dead wrong. Hardening has nothing to do with idss. Neither you nor dottom could present an argument what to use IDS for, whether on the desktop or on the server, or on the network. Not because there is no use to it but because you do not understand what it's for and misuse it. Besides providing some peace of mind, especially to paranoid one, IDSs can be used as tools for collecting forensic evidence and catching insiders in the act (see http://www.sans.org/resources/idfaq/ipe.php for the reference). I want to point out once again that none of these has practical application for home systems.
Harry, please indicate in which paragraph in the URL you gave that GRC even mentions BlackIce with regards to that DoS attack on grc.com? I can't find any reference to BlackIce in that URL. Also, there is no client solution to defend against a DoS attack. There are also very few network solutions to defend against a massive DoS attack. Remember the ones that brought down Yahoo, Hotmail, Microsoft, etc? A DoS attack is just a pure bandwidth burning process and has nothing to do with IDS. That URL you posted Gibson even says Client-profile machines, like that of the typical end user, can not be protected. So it doesn't matter what firewall or IDS or anything that you run on your client machine. Harry, judging from your initial post I think you are quite new to the whole Gibson vs. BlackIce debate. Maybe you should catch up and read the years of archives first? I think the first discussions began in 1999! Gibson has purposefully left outdated information on grc.com regarding BlackIce. It has been documented that Gibson improperly used BlackIce during his first tests (when he was recommending it!). Yes, Gibson is a frequent poster on the security forums I think dottom mentioned them a couple times. They are well known forums among security professionals. Just to save you some searching, I will give you a brief summary of Gibson and BlackIce. Go back to 1999... Gibson was publishing that BlackIce was a firewall, when at the time it was not. It was only an IDS. In fact, Gibson was recommending BlackIce! People on comp.security.firewalls were trying to explain to Gibson (yes he was an active poster) that BID was not a firewall. The NetworkIce product pages specifically distinguished between the need for an IDS in addition to a firewall and never advertised their product as a firewall. Yes, our security expert Gibson believed BlackIce in early 1999 was a firewall. None of this is opinion but are facts you can verify on the Google archives yourself. Now about mid-1999 Gibson suddenly 'discovered' that BlackIce was not a firewall at all! This despite the numerous posts by others telling him of this very fact. Gibson had made a dumb mistake but instead of admitting his error or quietly drop BlackIce for another firewall, Gibson jumped on the warwagon and slammed BlackIce on his website and all his mailings. He reversed all his recommendations on using BlackIce. All this because he made a very simply mistake and thought BlackIce was a firewall in 1999 when at the time it was only an IDS. Steve couldn't have made a mistake, no way! It must've been NetworkIce that misled him. (Hello, Steve, did you read any of those posts on that forum you were so fond of posting on to bash BlackIce?) Since that time, Gibson has continually made bad reviews on BlackIce by subjecting it to firewall tests. Finally, when BlackIce finally came out with a firewall in addition to its core IDS, Gibson stopped updating his website! Except for a few blurbs on LeakTest which has been long dismissed by the security industry as a flawed test. Steve Gibson is a good source for many new internet users. But if you have been following him at all you will know that he will never admit when he is wrong and will leave outdated and sometimes pure wrong information on his website for years. It is for this very reason that many security professionals do not take his website and information seriously. He's very good at waiving the red flag, but he will never admit when he was wrong. That is very bad for a security educator. If you have been following Gibson, you perhaps will remember his red flag waiving when he was warning every IT professional in the world via his website that Windows XP raw sockets would bring the entire internet down to its knees? I am not adding hyperbole here. Gibson was very serious about this. Well, guess what? Raw sockets and Windows XP are still here and the internet is just fine. Remember what Gibson said about UPNP? Harry, since you are interested in concrete data and not abstraction as you are a scientists, don't just take it from me, do the research for yourself! Go to groups.google.com and search on "+comp.security.firewalls +gibson +grc". There are over 1000 posts, actually more if you remove "grc" or "gibson" but you also get more unrelated posts. That should be a good start. Better yet, get an NNTP reader and start posting your own questions directly to that group. I'm sure there are a lot more network security buffs there than here!
Nobody brings a gun to the bank. Understand? There may be something dangerous inside the bank (exploitable software) which should be kept in the box (hardened OS) that nobody could create a damage using it. With a gun, you can damage something otherwise healthy. Hacking is attacking unhealthy systems. It's more like a strawberry for the allergic person than a gun, if you like analogies that much. If I am not allergic, I do not care if someone throwing strawberries around me. And I do not need IDS unless I want to submit that person to the authorities. A guard dog is fine. It points out nonnecessity to have one if you live in the apartment. It is fine as long as you enjoy playing with it but hardly a security must have.
igsi, Your big mistake here, and i know you mention "IT" as your occupation in your profile, is that the vast majority of home desktop users use Windows, which is not a hardened OS by any means. There are many Windows vulnerabilities not yet discovered. The use of an IDS helps. It has been proven many times that with an IDS you can discover attacks and disable all access from that IP in real-time before any damange is done, not the reactive response you are referring to. Same is true with Cisco IDS which you can go ahead and read the whitepaper on. It echoes all incoming network traffic to a protocol analyzer device which then automatically updates the PIX firewall rules to block malicious network traffic. I use that as an example that best defense is multiple layers, network and system. You can 'harden' your environment such that you can exist with vulernable systems (although obviously it's non-ideal to have vulnerable systems, relying on immediate patching is not reasonable). You mentioned automated patching. You obviously have never worked in a production environment then. The risk of installing a service or library or whatever the fix is too great to have it automated. That is why you always have a QA/stage/production environment. You obviously glossed over that part. You can't just deploy any patch immediately at any time. Your continued attempt to put others down, because you are such a big IT professional it seems, does not help prove your point. I hate the bitterness of these boards...
Of course it does. If one shits himself, then spending the rest of his life in diapers would work for him too. However, it would be more beneficial to get cured instead. Which, most importantly, would prove that your operations are flawed if you have to rely on that. I already said that in my previous post, this is a misuse of IDSs. So, if you do not agree with me you can go and argue with SANS that you know better what IDS is for. Relying on IDSs hoping not to get hacked is reactive approach. Patching and hardening systems is preventive approach. That's a very fine point. Multi-layer defense using Cisco IDS. There is that home desktop we are protecting in that picture? :eek: If that's your idea of hardening, I feel sorry for you. I already explained about "Day Zero" and "immediate" patching in my previous posts. You making very interesting conclusions. You see, automated does not mean "automatically applied right after downloading". OK? Not immediately and not at any time but automated patch distribution is just an unavoidable reality. How many servers you've got? 20? Ever thought how would you deal with it if you had 200? 2000? Anyway, back to our desktop. Why is that again I "can't just deploy any patch immediately at any time" to my home desktop? You are making this up. I never used my occupation or experience in an argument as a prove of my point. While you did, BTW. And if I did not prove my point to you, I could not care less. I know that I did prove my point and that's enough for me. You don't have to be here, you know?