Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Peter Kristolaitis (jesternt.net)
Date: Thu May 09 2002 - 00:05:23 CDT
>At my current contract we are trying to
>come up with a set of rules that is "all inclusive"
>(as much as possible). Granted a Security Policy is
>part of it, so are firewall rules, so might be the
>rules for the IDS.
One important thing to add to this list is an incident response plan. All
the policies and rules in the world won't do you any good if you don't have
a set course of action for dealing with security breaches (or other
disasters). For example, do you quarantine the affected system(s) for
investigation, or do you just rebuild from the last clean backup?
>When I asked for further
>clarification on this topic, I was told, "you know
>something like "fuzzy-logic" that states IF "A" then
>"Z" (for example a hacker is hacking away at the
>firewall), BUT if the hacker breaks through the
>firewall, then We need to jump to IDS rules, so now
>it's IF B then Y, and if the hacker get's into the
>corporate piggy bank and steals money, then it's IF C
Hmm... My first impression here is that the person who said this has no
idea what "fuzzy logic" actually is. The example you've given is
'cascading' boolean logic, not fuzzy logic. Might want to clarify whether
they want fuzzy logic detection algorithms, or simple boolean decisions here.
My second thought is why separate all the functions? Basically, why wait
until an attacker has penetrated the firewall before activating IDS? I
would personally run them concurrently, for an added chance of attack
detection (different detection methods, as well as the added redundancy
which means that an attacker has to totally disable both systems at the
same time to completely avoid detection). One thing about complex
systems: Redundancy is A Good Thing(tm).
The other thing here... how would you know that an attacker has succesfully
penetrated the firewall without IDS running first? If the attack is done
properly, the firewall wouldn't know that it's been penetrated, and would
thus be unable to start the next step (IDS rules).
Just my thoughts...