Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Intrusion Detection

From: Adam Shostack <adam () homeport org>
Date: Wed, 15 Apr 1998 09:21:15 -0400 (EDT)
Paul D. Robertson wrote:
| On Tue, 14 Apr 1998, Marcus J. Ranum wrote:
| 
| >     There are really only 2 good reasons I can think of for ID systems:
| > 1) To develop a threat level model as to how often you are attacked
| > 2) To detect clueless people inside your organization who are attacking
| >     outside sites
| 
| 3) To detect clueless people inside your organization, or with access to 
|    your facilities who are attacking your own systmems.
| 
| 4) To trend traffic to detect possible tunnels through allowed protocols 
|    like HTTP or SSL.

        5) To detect the fact that you've been hooked up to YA
extranet without any protection.

        Also, allow me to clarify my point from yesterday (the one
Marcus disagreed with 180 degrees).  In talking about attack
detection, I meant useful in the sense "the value you can extract from
what you buy," not useful in the sense that you get more time to not
be at work.

        The value you get from a Bro or one of its commercial
relatives is that you know you're under attack.  (Inset Aleph's
comments here.)  It detects attacks, not intrusions.  Intrusions are a
much broader category and decent ID software was reasonably well
described by Marcus last night.

Adam



-- 
Just be thankful that Microsoft does not manufacture pharmaceuticals.
Previous By Date Next
Previous By Thread Next

Current thread: