levinson_k
Tue Jul 11 10:09:02 CDT 2006
"Ricardo Batista" wrote:
> I think that the answer is â??availabilityâ?? because if we implant a intrusion
> detection system and if a authorized user is mistaken as a intruder a QoS is
> affectedâ?¦.
Is this an exam question?
That could be a concern if you're using intrusion prevention, or if you're
using IDS with "active response." For that reason, most experts are against
using active response with IDS, because an attacker can use it against you,
and malfunctions can occur.
With intrusion prevention / IPS, most IPS vendors are very aware of this
concern, so they generally only enable blocking by default on a few
signatures that are very certain not to experience false alarms. If you
start enabling blocking on additional signatures, you need to know what
you're doing.
Some application proxying firewalls [like Symantec Raptor and Checkpoint]
and other devices can experience reliability and performance problems with
certain features that do proxying of, for example, TCP SYN handshakes. For
example, if someone does a fast scan through such a firewall, the firewall
can be overwhelmed. TCP SYN proxying is a feature that is usually intended
to prevent denials of service, but it can sometimes increase your chances of
having a denial of service. Similar issues can happen if you have your
firewall doing antivirus scanning with a third party add-on server, for
example. Many security features incur a potential loss of performance or
functionality. More security isn't always better security.
-------------------------
Microsoft Security FAQ:
http://www.securityadmin.info