|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Intrusion Detection and Secuirty Policy
Bill_Royds
pch.gc.ca
Thu, 16 Apr 1998 11:22:15 -0400
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Mike Nickle - Sun Professional Services Denver CO: "Re: SunScreen EFS"
- Previous message: Paul D. Robertson: "Re: High ranking lusers"
- Next in thread: Russ: "RE: Intrusion Detection and Secuirty Policy"
- Maybe reply: Russ: "RE: Intrusion Detection and Secuirty Policy"
- Reply: Damir Rajnovic: "Re: Intrusion Detection and Secuirty Policy"
- Maybe reply: David Collier-Brown: "Re: Intrusion Detection and Secuirty Policy"
Marcus J. Ranum wrote:
I built a lot of firewalls, and I've seen a lot of firewalls
installed every which way but backwards. The reason I am going out
on a limb here is to try to get folks to build the right things
into their IDS' early on! Before it's too late! If I could go back
in time, I'd'a built firewalls that had "policy writing wizards"
that you could walk through and which would not only configure
the firewall but give you a hardcopy risk assessment of the policy
you built. Templates, too. We need the same kind of stuff for IDS.
Or they will also be complicated, obscure products that get
installed and ignored and finally unplugged. I'd hope that the
fact that I am saying this in a public forum, effectively giving
advice to potential competitors, will serve as proof of my
earnest or foolishness or both.
One problem that a needs to be addressed is a "Security Policy Language"
which would be a formal notation for writing security policies that would
be both
explainable to managers and executives and verifiable in a formal sense.
There has been work done on this in programming language verification
(Euclid and stuff from late 70's) but it ended up being too "mathematical"
for real world use. The tradeoff between ease of use and completnenss has
always been one of the deisgn problems in all computer software. It is a
hard problem as any firewall make can tell you. If you make a nice
friendly GUI to sell the product, it becomes an obstacle to actually using
the product in daily business.
Perhaps the next security product is not at the detection level but at
the policy generation level. An expert system that allows one to view
security policies so that the expected behaviour of both the people and the
system is compared with past experience and with required data to monitor
this behaviour. THis kind of high thought level software has always been
harder to create than circuit level stuff, but it is the most important for
actually getting results.
Bill Royds
Internet Security Manager
Department of Canadian Heritage
- Next message: Mike Nickle - Sun Professional Services Denver CO: "Re: SunScreen EFS"
- Previous message: Paul D. Robertson: "Re: High ranking lusers"
- Next in thread: Russ: "RE: Intrusion Detection and Secuirty Policy"
- Maybe reply: Russ: "RE: Intrusion Detection and Secuirty Policy"
- Reply: Damir Rajnovic: "Re: Intrusion Detection and Secuirty Policy"
- Maybe reply: David Collier-Brown: "Re: Intrusion Detection and Secuirty Policy"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:47 CDT