|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Important Comments re: INtrusion Detection
Aleph One (aleph1
dfw.dfw.net)
Mon, 16 Feb 1998 22:03:10 -0600 (CST)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Darren Reed: "Re: Important Comments re: INtrusion Detection"
- Previous message: Gary Crumrine: "INtrusion Detection"
- Next in thread: Darren Reed: "Re: Important Comments re: INtrusion Detection"
- Reply: Darren Reed: "Re: Important Comments re: INtrusion Detection"
On Mon, 16 Feb 1998, Paul M. Cardon wrote:
> At first glance I like the idea. On practical matters I can quickly think
> of the following issues to be addressed:
>
> * Performance impact (even with distributed coordination). Switches tend to
> be lean and mean to achieve performance goals. How much useful ID
> functionality could be built into the switch itself without turning it into a
> dog? Hanging the IDS off a promiscuous port on the switch still has most of
> the same problems as a passive IDS on a broadcast network.
[ Same issues brought up by Darren's message. I'll reply to both here. ]
I will point to Moore's Law and to the "If you build it, they will come"
philosophy. It may be true that such system may overload much of todays
hardware but this will probably not be the case two, thee or five years
into the future. By the time you do all your research and development and
are ready to start rolling out a product you will probably have the
hardware required. The other argument is that there is hardware right now
that can handle the load, it just happens to be very expensive. No one
said this would be a cheap product. It may be that only organizations with
a need for the highest security will be able to afford such a device.
> * Coordination algorithms, especially for a large number of devices. This
> would be a clear place to look for implementation flaws that could be
> exploited. My favorite would be to find a way to convince all of the devices
> in the path that somebody else was doing the work. Just like all the
> solutions being discussed here this would be a complex system with lots of
> potential for bugs.
The problem is no more difficult than designing a routing protocol.
Obviously any complex system will have a higher risk of introducing
vulnerabilities. This is true of everything, be it today's firewalls
or tomorrow's IDS's.
> * Yet another point of incompatibility between network vendors' products ;)
IETF.
> If we keep throwing out ideas like these maybe Marcus will finally find one
> he can get rich on. :*0
Only if he send me those stickers that he promised. ;)
> ---
> Paul M. Cardon
> First Chicago NBD Corporation
Aleph One / aleph1dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
- Next message: Darren Reed: "Re: Important Comments re: INtrusion Detection"
- Previous message: Gary Crumrine: "INtrusion Detection"
- Next in thread: Darren Reed: "Re: Important Comments re: INtrusion Detection"
- Reply: Darren Reed: "Re: Important Comments re: INtrusion Detection"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:33 CDT