focus-ids October 2008 archive
Main Archive Page > Month Archives  > focus-ids archives
focus-ids: RE: IDS vs Application Proxy Firewal

RE: IDS vs Application Proxy Firewal

From: Kamra, Ashish <akamra_at_nospam>
Date: Wed Oct 29 2008 - 16:54:53 GMT
To: "Stefano Zanero" <>

> Ashish Kamra wrote:
> > My two cents on this issue as a Phd student working on an AD system
> for
> > a DBMS (who just wants get his Phd at the moment and not get into a
> > debate :-)).
> If you want to get your PhD, then debating is quite important :D

Yes sir, I agree debating is important but again not debating this issue :-).

> > I was at the Recent Advances in Intrusion Detection Conference (RAID
> > 2008) recently where one of the topics for a panel discussion was
> "Life
> > after antivirus". The main take-away from the discussion was that
> even
> > top anti-virus companies are looking at whitelisting approaches to
> > augment the existing blacklists in order to win the battle against
> ever
> > increasing malware variants.
> Whitelisting is a good approach to execution authorization and for
> fighting malware, this is quite well recognized I'd say. Intrusion
> detection is a completely different beast though (and it seems quite
> peculiar that at RAID this wasn't noted).

At RAID, it was not discussed how the hybrid approach will be useful for intrusion detection. The proposed solution was mainly for tackling ever increasing malware variants. And the strange thing was that it was announced by one of the McAfee guys that technologies for whitelisting have been known to the anti-virus companies for over a decade now, but when asked for the specifics there were no answers as it was supposed to proprietary stuff. Do you have any idea on what he might have been talking about?


Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to to learn more.