Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Intrusion Detection

Re: Intrusion Detection

Mark Horn [ Net Ops ] (mhornfunb.com)
Mon, 20 Apr 1998 13:31:50 -0400

I know that I'm kicking a dead horse, but just one question...

Marcus J. Ranum says:
> What's interesting in this example (the firewall) is the
>assumption that your IDS can understand what "correct" behavior
>of the firewall is. What that means is that you'd be able to
>invert the firewall's policy, or somehow have an IDS that was
>coupled to your understanding of what should and should not
>work through the firewall. That's what I've been calling this
>"policy-based IDS" stuff: when you know a priori what should and
>shouldn't happen and look for cases where what shouldn't happen
>is happening.

Can't this be done with two firewalls in series? Both firewalls would
have the same rule set, with one exception. The outer firewall has a
default deny rule that simply drops stuff. The inner firewall, has a
default deny rule that drops stuff, and sets off an alarm to the
administrators. If the administrators ever get an alarm from the inner
firewall, they know that the outer firewall is permitting things it
shouldn't, or that the rulesets are out of sync. This could even be done,
crudely, with a router as the outer firewall.

This is not, by any means, perfect. But isn't this a rudimentary policy
based IDS?

Mark Horn <mhornfunb.com>

PGP Public Key available at: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:47 CDT