Re: Important Comments re: INtrusion Detection

[Aleph One <aleph1 () dfw dfw net>]

On Mon, 16 Feb 1998, Paul M. Cardon wrote:

> While a proxy CAN obtain much of that information, we are left providing  
> protection only at the network perimeter so any internal attacks can once  
> again be carried out undetected.
>
> Uggh.  This is looking to be a familiar scenario: networks with a hard,  
> crunchy shell at the network perimeter and a soft, chewy middle where the  
> INTERNAL threat protection provided to internal hosts is inadequate.
>
> Does this mean that ID needs to be done at the host level or in other words  
> at every connection end-point?  What other possibilities do we have?  I think  
> we've seen similar questions before.  The problems with that approach are  
> one of the reasons why we have firewalls in the first place.

This situation creates a whole new line of products for the IDS industry.
In particular an IDS built on top of a LAN switch that normalizes traffic.
Very similar in concept to and IDS built on top of a firewall that
normalizes traffic. The issue is that we have to move away from broadcast
networks.

Such systems could be designed do distribute the load of intrusion
detection. If a session flows through two or more devices that can perform
IDS processing (firewall, switch, etc) then they can cordinate such that
only one needs to do the work.

I can see Cisco buying some small IDS company and incorporating such
feature on their high end Catalys switches.

Who said there are no new business opportunities in the security market?
;)

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01