Firewall Wizards mailing list archives
Re: Intrusion Detection
From: John McDermott <jjm () jkintl com>
Date: Thu, 16 Apr 98 16:36:07
Marcus, --- On Wed, 15 Apr 1998 17:19:48 -0400 "Marcus J. Ranum" <mjr () nfr net> wrote:
Eric Maiwald writes:I think you are missing one important capaiblity of attack recognition tools, if I place the tool inside my firewall, I can configure it to tell me if my firewall is not behaving correctly.Yeah! This is what I'm talking about! What's interesting in this example (the firewall) is the assumption that your IDS can understand what "correct" behavior of the firewall is. What that means is that you'd be able to invert the firewall's policy, or somehow have an IDS that was coupled to your understanding of what should and should not work through the firewall.
I think a word of caution is in order here. There seems to me to be a great danger if the coupling between "understanding of what should and should not work through the firewall" and IDS configuration is too automatic. That is, if the firewall were to generate the IDS configuration information, errors in the policy as configured into the firewall would likely be transferred to the IDS. In many ways it would be nice to have some universal sort of way to explain policy to devices, but in doing so machine misinterpretation of that policy might distribute errors to multiple devices. I'm far from saying that I have even a really strong clue how to deal with this in a clean way, but too tight a coupling could lead to a serious problem, as I see it. --john ------------------------------------- Name: John McDermott VOICE: 505/377-6293 FAX 505/377-6313 E-mail: John McDermott <jjm () jkintl com> VP, J-K International, Ltd. Writer and Computer Consultant -------------------------------------
Current thread:
- Re: Intrusion Detection, (continued)
- Re: Intrusion Detection emaiwald (Apr 17)
- Re: Intrusion Detection Mark Horn [ Net Ops ] (Apr 20)
- Re: Intrusion Detection Marcus J. Ranum (Apr 20)
- Re: Intrusion Detection tqbf (Apr 14)
- Re: Intrusion Detection HSKarim (Apr 15)
- RE: Intrusion Detection Gary Crumrine (Apr 15)
- Re: Intrusion Detection darrenr (Apr 15)
- Re: Intrusion Detection Tina Bird (Apr 15)
- RE: Intrusion Detection Marcus J. Ranum (Apr 15)
- RE: Intrusion Detection Wright, Steven (Apr 15)
- Re: Intrusion Detection John McDermott (Apr 17)
- RE: Intrusion Detection Russ (Apr 17)
- RE: Intrusion Detection John McDermott (Apr 20)
- RE: Intrusion Detection Russ (Apr 22)