Firewall Wizards mailing list archives
RE: Intrusion Detection
From: "Wright, Steven" <SWright () v-one com>
Date: Wed, 15 Apr 1998 17:22:17 -0400
Howdy all, What kind of data is necessary to collect for an Intrusion? The answer to that should be -- Anything that the defender deems as an unwarranted action!!! The true problem with IDS is the inability to set site policy(i.e. some sort of network policy auditor). Current IDS allows you to scan for known attacks, and has very limited capability to set site policy, and audit that site policy. Afterall, aren't we REALLY trying to establish a way to scan the systems and networks for violation of site policy? Wouldn't it be nice to analyze the collected data, and amend site policy based on your findings? Don't the needs from one site differ from that of another? Policy shouldn't be a rigid set of rules and should be able to be amended at the site's request. That brings me back to my original question: what kind of data is necessary to collect for an intrusion? If the tools I use do not allow the amendment of the policy, then there exists a chance for attacks to go by unnoticed. Wouldn't it be possible to circumvent the IDS by tunneling a known attack over a known protocol? What if that protocol is encrypted? Wouldn't this lead us into the realm of behavioral analysis, and, if so, wouldn't this mean that we now have to start doing some sort of "forensics" to help expose this threat? What about making that threat known to our site policy? What if this attack only works on my site and not someone else's? The answer should be -- since it is unwarranted we should be able to amend site policy, and start capturing data! IDS tools are extremely useful and have their place, but chaos needs order and sites need their network/systems to be audit-able!!! Now another question comes into play(mainly for devils-advocation): "If all the known attacks have been plugged on our networks/systems, then do I need to keep wasting bandwidth scanning for them?" Well that's my two cents, Steve Wright
Current thread:
- Re: Intrusion Detection, (continued)
- Re: Intrusion Detection Aleph One (Apr 15)
- Re: Intrusion Detection emaiwald (Apr 17)
- Re: Intrusion Detection Mark Horn [ Net Ops ] (Apr 20)
- Re: Intrusion Detection Marcus J. Ranum (Apr 20)
- Re: Intrusion Detection tqbf (Apr 14)
- Re: Intrusion Detection HSKarim (Apr 15)
- RE: Intrusion Detection Gary Crumrine (Apr 15)
- Re: Intrusion Detection darrenr (Apr 15)
- Re: Intrusion Detection Tina Bird (Apr 15)
- RE: Intrusion Detection Marcus J. Ranum (Apr 15)
- RE: Intrusion Detection Wright, Steven (Apr 15)
- Re: Intrusion Detection John McDermott (Apr 17)
- RE: Intrusion Detection Russ (Apr 17)
- RE: Intrusion Detection John McDermott (Apr 20)
- RE: Intrusion Detection Russ (Apr 22)