RE: Intrusion Detection

[Russ <Russ.Cooper () rc on ca>]

> In many ways it would be nice to have some universal sort of way to
> explain policy to devices, but in doing so machine misinterpretation
> of that policy might distribute errors to multiple devices.

Well, there are pros and cons here. I might prefer to have the same
error throughout my environment rather than having the potential to
create errors in numerous independent implementations.

If I misconfigure and open a hole, I do so everywhere using a common
policy deployment. If I don't, I multiply the times of opportunity to
introduce a hole (each configuration introduces another opportunity),
and reduce the possibility of discovering it myself (because I have to
audit numerous implementations).

> I'm far from saying that I have even a really strong clue how to deal
> with this in a clean way, but too tight a coupling could lead to a
> serious problem, as I see it.

Well, I won't argue your "serious problem", but maybe we need to define
serious better. I would end up with a more "wide-scale problem" using
mass policy deployment. That could possibly lead to an increased
opportunity for exploit.

On the other hand, if I only have to monitor a single policy
configuration method, I might be able to do a better job of it. For
example, instead of having to have a Firewall Administrator at every
site, I might be able to take half as many bodies and place them in a
central Firewall Operations Center (FOC), and then use an approval
policy that has configuration changes signed off by multiple
individuals.

If the process is automated, then the same theories apply to the process
that modifies how the AI deals with things.

Cheers,
Russ Cooper
R.C. Consulting, Inc. - NT/Internet Security
Moderator of the NTBugtraq mailing list
http://www.ntbugtraq.com