Firewall Wizards mailing list archives

Re: Intrusion Detection

From: emaiwald () bigdog fred net
Date: Thu, 16 Apr 98 14:41:19 EDT

Marcus wrote:
<snip>

      I believe that the best way to do that is to be able to
clearly define what should and should not happen, as a
precondition to installing the IDS. An IDS that isn't "tuned"
right is going to be a nuisance or a doorstop. My previous mail
was not intended to be a slap at misuse detection "network grep"
IDS'! After all, I build a product that can do that kind of thing
very well. I just want to see people get the best results possible
out of them. And the best way to do that is to be very cognizant
of the environment into which they are installed, and its operating
principles ("policy").


I think I finally figured out why this discussion  did not make
sense to me.  The above paragraph I take as a given.  If anyone
thinks that they can take an IDS, Firewall, or any other piece of
security software/hardware/whatever and slap it into their 
environment and expect to get useful information from it, they
are deluding themselves. 

I know that there are companies out their that buy firewalls, install
it and then call the vendor to complain about the attacks soming
through but I thought that the security industry (us) had come to
realize that there is more to it.  There is a process that must
be followed when we do security:

        assess<---
        policy   |
        implement|
        train    |
        audit ----

We need to assess the RISK to the business, develop a policy that
makes sense (i.e. it let's us get the job done), implement the
policy through configurations, new SW/HW, processes, etc., train
the users and the technical staff, then audit to make sure we
are doing what we said we must do.

Someone else mentioned that policy cannot be absolutely rigid, this
is absolutely true.  Whenever I help clients create a policy, I
advise them to include a waiver process to the policy.  I do
this for two reasons:  1 - When business needs conflict with security,
security always looses and 2 - this forces the company to examine
the risks invloved in noncompliance.

My point in all of this is that there is no silver bullet in
security.  We cannot buy anything that guarantees protection.  We
have to do this from a Risk reduction standpoint.  IDS, in whatever
form, is part of it.

Sorry for being long winded.

Eric
  

-- 
---------------------------------------------------------------------
Eric Maiwald, CISSP                                 emaiwald () fred net
Director Security Services                               301-977-6966
Fortrex Technologies, Inc.                          North Potomac, MD
---------------------------------------------------------------------

Current thread:

Re: Intrusion Detection, (continued)
- - - Re: Intrusion Detection Marcus J. Ranum (Apr 15)
    - Re: Intrusion Detection Aleph One (Apr 14)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 14)
    - Re: Intrusion Detection Aleph One (Apr 14)
    - Re: Intrusion Detection Adam Shostack (Apr 15)
    - Re: Intrusion Detection M. Dodge Mumford (Apr 14)
    - Re: Intrusion Detection emaiwald (Apr 15)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 15)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 15)
    - Re: Intrusion Detection Aleph One (Apr 15)
    - Re: Intrusion Detection emaiwald (Apr 17)
    - Re: Intrusion Detection Mark Horn [ Net Ops ] (Apr 20)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 20)
- Re: Intrusion Detection tqbf (Apr 14)
- Re: Intrusion Detection HSKarim (Apr 15)
- RE: Intrusion Detection Gary Crumrine (Apr 15)
  - Re: Intrusion Detection darrenr (Apr 15)
  - Re: Intrusion Detection Tina Bird (Apr 15)
  - RE: Intrusion Detection Marcus J. Ranum (Apr 15)
- RE: Intrusion Detection Wright, Steven (Apr 15)
- Re: Intrusion Detection John McDermott (Apr 17)

(Thread continues...)