Firewall Wizards mailing list archives
Intrusion Detection and Secuirty Policy
From: Bill_Royds () pch gc ca
Date: Thu, 16 Apr 1998 11:22:15 -0400
Marcus J. Ranum wrote: I built a lot of firewalls, and I've seen a lot of firewalls installed every which way but backwards. The reason I am going out on a limb here is to try to get folks to build the right things into their IDS' early on! Before it's too late! If I could go back in time, I'd'a built firewalls that had "policy writing wizards" that you could walk through and which would not only configure the firewall but give you a hardcopy risk assessment of the policy you built. Templates, too. We need the same kind of stuff for IDS. Or they will also be complicated, obscure products that get installed and ignored and finally unplugged. I'd hope that the fact that I am saying this in a public forum, effectively giving advice to potential competitors, will serve as proof of my earnest or foolishness or both. One problem that a needs to be addressed is a "Security Policy Language" which would be a formal notation for writing security policies that would be both explainable to managers and executives and verifiable in a formal sense. There has been work done on this in programming language verification (Euclid and stuff from late 70's) but it ended up being too "mathematical" for real world use. The tradeoff between ease of use and completnenss has always been one of the deisgn problems in all computer software. It is a hard problem as any firewall make can tell you. If you make a nice friendly GUI to sell the product, it becomes an obstacle to actually using the product in daily business. Perhaps the next security product is not at the detection level but at the policy generation level. An expert system that allows one to view security policies so that the expected behaviour of both the people and the system is compared with past experience and with required data to monitor this behaviour. THis kind of high thought level software has always been harder to create than circuit level stuff, but it is the most important for actually getting results. Bill Royds Internet Security Manager Department of Canadian Heritage
Current thread:
- Intrusion Detection and Secuirty Policy Bill_Royds (Apr 17)
- Re: Intrusion Detection and Secuirty Policy Damir Rajnovic (Apr 20)
- <Possible follow-ups>
- RE: Intrusion Detection and Secuirty Policy Russ (Apr 17)
- Re: Intrusion Detection and Secuirty Policy David Collier-Brown (Apr 20)