Firewall Wizards mailing list archives

RE: Intrusion Detection

From: "Wright, Steven" <SWright () v-one com>
Date: Wed, 15 Apr 1998 17:22:17 -0400

Howdy all,

        What kind of data is necessary to collect for an Intrusion?

        The answer to that should be -- Anything that the defender deems
        as an unwarranted action!!!   The true problem with IDS is the 
        inability to set site policy(i.e. some sort of network policy
auditor).
        Current IDS allows you to scan for known attacks, and has very
        limited capability to set site policy, and audit that site
policy.

        Afterall, aren't we REALLY trying to establish a way to scan the
        systems and networks for violation of site policy?  Wouldn't it
be
        nice to analyze the collected data, and amend site policy based
        on your findings?  Don't the needs from one site differ from
that
        of another?  Policy shouldn't be a rigid set of rules and should
        be able to be amended at the site's request.

        That brings me back to my original question:  what kind of data
is
        necessary to collect for an intrusion?  If the tools I use do
not allow
        the amendment of the policy, then there exists a chance for
attacks
        to go by unnoticed.   Wouldn't it be possible to circumvent the
IDS
        by tunneling a known attack over a known protocol?  What if that
        protocol is encrypted?  Wouldn't this lead us into the realm of
        behavioral analysis, and, if so, wouldn't this mean that we now
have to
        start doing some sort of "forensics" to help expose this threat?
What
        about making that threat known to our site policy?  What if this
attack
        only works on my site and not someone else's?   The answer
should
        be -- since it is unwarranted we should be able to amend site
policy,
        and start capturing data!  IDS tools are extremely useful and
have
        their place, but chaos needs order and sites need their
network/systems
        to be audit-able!!!

        Now another question comes into play(mainly for
devils-advocation):
        "If all the known attacks have been plugged on our
networks/systems,
         then do I need to keep wasting bandwidth scanning for them?"
 
Well that's my two cents,

Steve Wright

Current thread:

Re: Intrusion Detection, (continued)
- - - Re: Intrusion Detection Aleph One (Apr 15)
    - Re: Intrusion Detection emaiwald (Apr 17)
    - Re: Intrusion Detection Mark Horn [ Net Ops ] (Apr 20)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 20)
- Re: Intrusion Detection tqbf (Apr 14)
- Re: Intrusion Detection HSKarim (Apr 15)
- RE: Intrusion Detection Gary Crumrine (Apr 15)
  - Re: Intrusion Detection darrenr (Apr 15)
  - Re: Intrusion Detection Tina Bird (Apr 15)
  - RE: Intrusion Detection Marcus J. Ranum (Apr 15)
- RE: Intrusion Detection Wright, Steven (Apr 15)
- Re: Intrusion Detection John McDermott (Apr 17)
- RE: Intrusion Detection Russ (Apr 17)
- RE: Intrusion Detection John McDermott (Apr 20)
- RE: Intrusion Detection Russ (Apr 22)