OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter Kristolaitis (jesternt.net)
Date: Thu May 09 2002 - 00:05:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    >At my current contract we are trying to
    >come up with a set of rules that is "all inclusive"
    >(as much as possible). Granted a Security Policy is
    >part of it, so are firewall rules, so might be the
    >rules for the IDS.

    One important thing to add to this list is an incident response plan. All
    the policies and rules in the world won't do you any good if you don't have
    a set course of action for dealing with security breaches (or other
    disasters). For example, do you quarantine the affected system(s) for
    investigation, or do you just rebuild from the last clean backup?

    >When I asked for further
    >clarification on this topic, I was told, "you know
    >something like "fuzzy-logic" that states IF "A" then
    >"Z" (for example a hacker is hacking away at the
    >firewall), BUT if the hacker breaks through the
    >firewall, then We need to jump to IDS rules, so now
    >it's IF B then Y, and if the hacker get's into the
    >corporate piggy bank and steals money, then it's IF C
    >then X...

    Hmm... My first impression here is that the person who said this has no
    idea what "fuzzy logic" actually is. The example you've given is
    'cascading' boolean logic, not fuzzy logic. Might want to clarify whether
    they want fuzzy logic detection algorithms, or simple boolean decisions here.
    My second thought is why separate all the functions? Basically, why wait
    until an attacker has penetrated the firewall before activating IDS? I
    would personally run them concurrently, for an added chance of attack
    detection (different detection methods, as well as the added redundancy
    which means that an attacker has to totally disable both systems at the
    same time to completely avoid detection). One thing about complex
    systems: Redundancy is A Good Thing(tm).
    The other thing here... how would you know that an attacker has succesfully
    penetrated the firewall without IDS running first? If the attack is done
    properly, the firewall wouldn't know that it's been penetrated, and would
    thus be unable to start the next step (IDS rules).

    Just my thoughts...
             Peter Kristolaitis