Re: Intrusion Detection

["Marcus J. Ranum" <mjr () nfr net>]

I wrote:
> with your security policy. Out here where I live, maybe it'd
> not generate a lot of false positives if the alarm went off
> whenever someone touches a window or rattles a doorknob, let
> alone succeeds in opening a door.

I dunno how many of the folks on this list remember Fred Cohen's
"intrusion detection" system that he used to run on all.net. If
you tried to Telnet to his system, it would look up the registered
contact for your domain and E-mail them a nastygram that someone
had just tried to break in to his system from your workstation.

I'm starting to convince myself that I want to implement IDS
as policy-based traps (a la Raiders of the Lost Ark -- if someone
runs teardrop on me I want a big rock to fall on them) backed
with passive sensors (microwave/PIR packet suckers) to catch
anything that sneaks past. There are so many physical security
analogies for how to do this right -- it's all beginning to come
clear for me now.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr