Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: "Paul M. Cardon" <pmarc () cmg fcnbd com>
Date: Mon, 16 Feb 98 21:12:07 -0600
Aleph One thus spake unto me:
Does this mean that ID needs to be done at the host level or in other words at every connection end-point? What other possibilities do we have? I think we've seen similar questions before. The problems with that approach are one of the reasons why we have firewalls in the first place.This situation creates a whole new line of products for the IDS industry. In particular an IDS built on top of a LAN switch that normalizes traffic. Very similar in concept to and IDS built on top of a firewall that normalizes traffic. The issue is that we have to move away from broadcast networks.
I knew I was missing something.
Such systems could be designed do distribute the load of intrusion detection. If a session flows through two or more devices that can perform IDS processing (firewall, switch, etc) then they can cordinate such that only one needs to do the work.
At first glance I like the idea. On practical matters I can quickly think of the following issues to be addressed: * Performance impact (even with distributed coordination). Switches tend to be lean and mean to achieve performance goals. How much useful ID functionality could be built into the switch itself without turning it into a dog? Hanging the IDS off a promiscuous port on the switch still has most of the same problems as a passive IDS on a broadcast network. * Coordination algorithms, especially for a large number of devices. This would be a clear place to look for implementation flaws that could be exploited. My favorite would be to find a way to convince all of the devices in the path that somebody else was doing the work. Just like all the solutions being discussed here this would be a complex system with lots of potential for bugs. * Yet another point of incompatibility between network vendors' products ;)
I can see Cisco buying some small IDS company and incorporating such feature on their high end Catalys switches. Who said there are no new business opportunities in the security market?
If we keep throwing out ideas like these maybe Marcus will finally find one he can get rich on. :*0 --- Paul M. Cardon First Chicago NBD Corporation On the whole, we are hostile to puns. - Wolcott Gibbs Sisyphus and loving it. MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 17)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 17)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
- Re: Important Comments re: INtrusion Detection Doug Hughes (Feb 18)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 15)
- Re: Important Comments re: INtrusion Detection marc (Feb 15)