Re: Intrusion Detection

[John McDermott <jjm () jkintl com>]

Marcus,

--- On Wed, 15 Apr 1998 17:19:48 -0400  "Marcus J. Ranum" <mjr () nfr net> 
wrote:

> Eric Maiwald writes:
> > I think you are missing one important capaiblity of attack
> > recognition tools, if I place the tool inside my firewall,
> > I can configure it to tell me if my firewall is not behaving correctly.
>
>       Yeah! This is what I'm talking about!
>
>       What's interesting in this example (the firewall) is the
> assumption that your IDS can understand what "correct" behavior
> of the firewall is. What that means is that you'd be able to
> invert the firewall's policy, or somehow have an IDS that was
> coupled to your understanding of what should and should not
> work through the firewall.

I think a word of caution is in order here.  There seems to me to be a 
great danger if the coupling between "understanding of what should and 
should not work through the firewall" and IDS configuration is too 
automatic.  That is, if the firewall were to generate the IDS configuration 
information, errors in the policy as configured into the firewall would 
likely be transferred to the IDS.

In many ways it would be nice to have some universal sort of way to explain 
policy to devices, but in doing so machine misinterpretation of that policy 
might distribute errors to multiple devices.

I'm far from saying that I have even a really strong clue how to deal with 
this in a clean way, but too tight a coupling could lead to a serious 
problem, as I see it.

--john

-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjm () jkintl com>
VP, J-K International, Ltd.
Writer and Computer Consultant
-------------------------------------