Re: IDS thoughts

["Stephen P. Berry" <spb () meshuggeneh net>]

I wrote:

> > Anytime you have an interface between zones of different
> > risk, liability, threat, or whatever, there should be:
> > -A policy which enunciates and addresses this difference
> > -A mechanism for enforcing this policy
> > -A mechanism for auditing the enforcement of this policy

Stefano Zanero writes:

> Yes. But, as long as you can clearly DEFINE this policy, the enforcement
> mechanism and the detection mechanism can be the same. If you check twice
> against the same rule, you are not doing "anomaly detection" - at least, not
> in my concept :-)

This is true.  It is also irrelevant.  You don't don't want a discrete
monitoring mechanism because you want to do anomaly detection (or at least,
that is not the exclusive reason).  You want your monitoring mechanism to
be decoupled from your policy enforcement mechanism to be able to audit
the failure mode of your enforcement mechanism.  Whether or not this
entails anomaly detection (for some suitably gerrymandered definition
of the term) is beside the point.

The fact that there is a common Latin phrase which reflects this dilemma---`Quis
custodiet ipsos custodes?'[0]---suggests that this is a class of problem whose
importance has been recognised for quite some time[1].






-spb

-----
0       `Who keeps the keepers?' or (currently more popularly) `Who watches
        the watchmen?'
1       Although it appears to be traditional for (online) information security
        to defer adoption of applicable innovations until forced to by brutal
        necessity.  Most network anomaly detection systems, for example, are
        significantly less sophisticated than the traffic analysis tools used
        by British intelligence in the Second World War.

Attachment: _bin
Description: