Sunday, August 8, 2004

Using Session Data to Scope Events Without Signatures

Ever notice that the same people who are detractors of IDS systems also
actively support "deep packet inspection" over "application proxies"?
What's the trade-off? A slight speed increase and using a "cool" new
technology vs. a slight loss of control and security (in the form of
record keeping). I'd like to see proof of that speed increase
sometime. Yes, layer 4 (OSI model) filtering is faster than layer 7
proxying but, once you start tacking on layer 7 inspection onto a layer
4 packet filter, does the extra processing requirements even the
equation?

In any case, TaoSecurity states the IDS
issue very nicely and describes a tool that nicely covers one of the blind spots in IDS technologies: session data.