Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: how to do intrusion detection right

Re: how to do intrusion detection right

Martin W Freiss (freiss.padsni.de)
Thu, 16 Apr 98 12:02:35 MDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Anonymous: "High ranking lusers"
Previous message: Ke Huang: "SunScreen EFS"
Next in thread: George J. Dolicker: "Re: how to do intrusion detection right"
Reply: George J. Dolicker: "Re: how to do intrusion detection right"

> In other words, the administrator will apply site policy to the IDS
> by building a filtering layer on top of its alert mechanism. That will
> be based on the administrator's knowledge of site policy and local
> risk/threat posture.
>
> We're 100% agreed. But what what I am saying is that the IDS should
> be able to permit that tuning directly, by getting that information
> from the administrator so the IDS can tailor its behavior to what
> it has been told is acceptable/unacceptable/interesting about the
> network it's watching.

Maybe more of a philosophical point, but I miss something in this
whole discussion. We are all agreed (I think) that an IDS should issue
a warning when something "interesting" happens or the firewall has been
broached - but I do get the feeling that we do not really know what
"interesting" means.

When the administrator can tailor the IDS to unacceptable/interesting
stuff on the net, what he does is transfer his own mindset about security
to the IDS. I then have a machine that "thinks" like me, which thus alerts
me about facts that I am already aware of - a useful thing that may save
some work, but will not help me notice next week's bug being exploited.

I may be stupid, but what is "interesting" is something I do not know
before an intrusion attempt.
Tomorrow's attack may use some technique that is "obviously" safe today,
thus bypassing my (human or computer) filtering layer. Using a sufficiently
"new" technique, my firewall will probably not notice that it has been
broached. What _can_ help me is having a complete log of everything that
has been going through the network, which I can then analyze to understand
what has happened. An intrusion analysis system, if you will - which
so far includes a large human component.

-Martin

--
 Martin Freiss, MF194   | freiss.padsni.de | http://www.rmi.de/~marvin
 Siemens Nixdorf, CC IT Networks, Solution Team Internet/Intranet
Half male, half e-mail.

Next message: Anonymous: "High ranking lusers"
Previous message: Ke Huang: "SunScreen EFS"
Next in thread: George J. Dolicker: "Re: how to do intrusion detection right"
Reply: George J. Dolicker: "Re: how to do intrusion detection right"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:47 CDT