Re: Important Comments re: INtrusion Detection

["Paul D. Robertson" <proberts () clark net>]

On Mon, 16 Feb 1998, Paul M. Cardon wrote:

> > You do not need to be a proxy to have this information. Being a proxy
> > allows you to do network intrusion detection WITHOUT this information. The
> > problem you need to solve at this point is "how the hell do we get this
> > kind of information to the IDS in real time, in order to make my non-proxy
> > sniffer IDS work."
>
> One of the major reasons why passive-listening ID systems have been getting  
> so much hype is that they are being advertised as a way to detect attacks  
> that may originate inside the network perimeter protected by the conventional  
> firewall.  In other words the claim is that they provide threat detection  
> originating from any device on the network targeting any other device on the  
> network.  However, until these systems can obtain all of the secondary  
> information Thomas mentions above then they are severely limited in their  
> advertised capabilities.

Hmmm, I've not thought all of this completely through yet, but how much 
of the original "doesn't work for IDS" stuff is valid if the IDS is on a 
chokepoint swtich with a promiscuous port, and every other device on the 
switch (just routers I'd guess) is on a port where only packets from their MAC
address can come out?  What are we left with as an IDS vulnerability in 
that scenerio if we assume the routers can, and if we assume the routers 
can't be compromised?

Digging for solutions...

Paul 
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280