Firewall Wizards mailing list archives

Re: Intrusion Detection

From: "Marcus J. Ranum" <mjr () nfr net>
Date: Wed, 15 Apr 1998 17:31:02 -0400

Adam Shostack writes:

      5) To detect the fact that you've been hooked up to YA
extranet without any protection.


        Or notification! :) I forgot that one. :) For lack of a
better term, at NFR we've been calling this kind of thing
"change notification."

        "Hello! A new ethernet address just appeared on subnet 16 that
is emitting IP with hopcount greater than one!"

        Is that a security alert or a network management alert?
I guess it depends on whether you expected the thing to appear
when it did, or not! :)

      Also, allow me to clarify my point from yesterday (the one
Marcus disagreed with 180 degrees).  In talking about attack
detection, I meant useful in the sense "the value you can extract from
what you buy," not useful in the sense that you get more time to not
be at work.


        Aha -- that's the root of our confusion (I was surprised
to find myself disagreeing with Adam) :)  My take, as a pointy
hair suit, is that time my network manager spends doing security
is a loss against time they could have spent growing the network
or directly building shareholder value. So I only want them to
be messing with intrusion alarms and backtracks in the event
that it's an attack that will cost me money if it's not addressed
immediately. Attacks that I know my security system will likely
block are nothing I care about because I don't want my staff
spending time tracking down every scriptkid that tries my
network.

      The value you get from a Bro or one of its commercial
relatives is that you know you're under attack.  (Inset Aleph's
comments here.)  It detects attacks, not intrusions.


If you could somehow extend that to say "it detects attacks
that appear to be potentially successful" then you'd get my
money.:) The skilled attacker, unfortunately, isn't going to
run SATAN against my network as a courtesy to tickle my IDS
before he zaps through my firewall with Cthulhu-5.0 and ghosts
into my WAN. :(  I don't see a way we can build a programmatic
model for threat level escalation, when there's really not much
correlatable cross-event information. This is not like a military
environment, where the satellite recon can detect tanks moving
weeks before the jump off. :(  :(  :(

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Current thread:

Intrusion Detection shantanu bhattacharya (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
  - Re: Intrusion Detection tqbf (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 14)
  - Re: Intrusion Detection Marcus J. Ranum (Apr 14)
    - Re: Intrusion Detection Paul D. Robertson (Apr 14)
    - Re: Intrusion Detection Adam Shostack (Apr 15)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 15)
    - Re: Intrusion Detection Aleph One (Apr 14)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 14)
    - Re: Intrusion Detection Aleph One (Apr 14)
    - Re: Intrusion Detection Adam Shostack (Apr 15)
    - Re: Intrusion Detection M. Dodge Mumford (Apr 14)
    - Re: Intrusion Detection emaiwald (Apr 15)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 15)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 15)
    - Re: Intrusion Detection Aleph One (Apr 15)
    - Re: Intrusion Detection emaiwald (Apr 17)

(Thread continues...)