Firewall Wizards mailing list archives
Re: Intrusion Detection
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Wed, 15 Apr 1998 17:31:02 -0400
Adam Shostack writes:
5) To detect the fact that you've been hooked up to YA extranet without any protection.
Or notification! :) I forgot that one. :) For lack of a better term, at NFR we've been calling this kind of thing "change notification." "Hello! A new ethernet address just appeared on subnet 16 that is emitting IP with hopcount greater than one!" Is that a security alert or a network management alert? I guess it depends on whether you expected the thing to appear when it did, or not! :)
Also, allow me to clarify my point from yesterday (the one Marcus disagreed with 180 degrees). In talking about attack detection, I meant useful in the sense "the value you can extract from what you buy," not useful in the sense that you get more time to not be at work.
Aha -- that's the root of our confusion (I was surprised to find myself disagreeing with Adam) :) My take, as a pointy hair suit, is that time my network manager spends doing security is a loss against time they could have spent growing the network or directly building shareholder value. So I only want them to be messing with intrusion alarms and backtracks in the event that it's an attack that will cost me money if it's not addressed immediately. Attacks that I know my security system will likely block are nothing I care about because I don't want my staff spending time tracking down every scriptkid that tries my network.
The value you get from a Bro or one of its commercial relatives is that you know you're under attack. (Inset Aleph's comments here.) It detects attacks, not intrusions.
If you could somehow extend that to say "it detects attacks that appear to be potentially successful" then you'd get my money.:) The skilled attacker, unfortunately, isn't going to run SATAN against my network as a courtesy to tickle my IDS before he zaps through my firewall with Cthulhu-5.0 and ghosts into my WAN. :( I don't see a way we can build a programmatic model for threat level escalation, when there's really not much correlatable cross-event information. This is not like a military environment, where the satellite recon can detect tanks moving weeks before the jump off. :( :( :( mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Intrusion Detection shantanu bhattacharya (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection tqbf (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Paul D. Robertson (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Aleph One (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Aleph One (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 15)
- Re: Intrusion Detection M. Dodge Mumford (Apr 14)
- Re: Intrusion Detection emaiwald (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Aleph One (Apr 15)
- Re: Intrusion Detection emaiwald (Apr 17)