Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: "Paul M. Cardon" <pmarc () cmg fcnbd com>
Date: Mon, 16 Feb 98 09:31:25 -0600
tqbf () secnet com thus spake unto me:
If you know the number of hops to every destination on the network, the MTU of each of those hops, the OS running on each of the machines on your network, and the exact network configuration of each, AND if you can reliably see every packet on the wire, you can (I currently believe) accurately reconstruct network traffic and detect intrusions in it. You do not need to be a proxy to have this information. Being a proxy allows you to do network intrusion detection WITHOUT this information. The problem you need to solve at this point is "how the hell do we get this kind of information to the IDS in real time, in order to make my non-proxy sniffer IDS work."
One of the major reasons why passive-listening ID systems have been getting so much hype is that they are being advertised as a way to detect attacks that may originate inside the network perimeter protected by the conventional firewall. In other words the claim is that they provide threat detection originating from any device on the network targeting any other device on the network. However, until these systems can obtain all of the secondary information Thomas mentions above then they are severely limited in their advertised capabilities. While a proxy CAN obtain much of that information, we are left providing protection only at the network perimeter so any internal attacks can once again be carried out undetected. Uggh. This is looking to be a familiar scenario: networks with a hard, crunchy shell at the network perimeter and a soft, chewy middle where the INTERNAL threat protection provided to internal hosts is inadequate. Does this mean that ID needs to be done at the host level or in other words at every connection end-point? What other possibilities do we have? I think we've seen similar questions before. The problems with that approach are one of the reasons why we have firewalls in the first place. I think it may be useful to summarize all the different network placement/approaches for network intrusion detection, list the advantages and problems with each, and perhaps we'll see some useful combination of approaches that can provide a more complete range of protection. At the very least we will see some other problems that we have missed if we look at the entire network and not just the firewall boundary. I know Thomas is considering the entire network in his research but after all this is firewall-wizards and the discussion naturally tends solely in that direction. --- Paul M. Cardon First Chicago NBD Corporation On the whole, we are hostile to puns. - Wolcott Gibbs Sisyphus and loving it. MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 14)
- Re: Important Comments re: INtrusion Detection Craig Brozefsky (Feb 14)
- Re: Important Comments re: INtrusion Detection Marcus J. Ranum (Feb 14)
- Re: Important Comments re: INtrusion Detection Aaron Bawcom (Feb 15)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Bret Watson (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Rick Morrow (Feb 15)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 17)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 17)