Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: Aleph One <aleph1 () dfw dfw net>
Date: Mon, 16 Feb 1998 22:03:10 -0600 (CST)
On Mon, 16 Feb 1998, Paul M. Cardon wrote:
At first glance I like the idea. On practical matters I can quickly think of the following issues to be addressed: * Performance impact (even with distributed coordination). Switches tend to be lean and mean to achieve performance goals. How much useful ID functionality could be built into the switch itself without turning it into a dog? Hanging the IDS off a promiscuous port on the switch still has most of the same problems as a passive IDS on a broadcast network.
[ Same issues brought up by Darren's message. I'll reply to both here. ] I will point to Moore's Law and to the "If you build it, they will come" philosophy. It may be true that such system may overload much of todays hardware but this will probably not be the case two, thee or five years into the future. By the time you do all your research and development and are ready to start rolling out a product you will probably have the hardware required. The other argument is that there is hardware right now that can handle the load, it just happens to be very expensive. No one said this would be a cheap product. It may be that only organizations with a need for the highest security will be able to afford such a device.
* Coordination algorithms, especially for a large number of devices. This would be a clear place to look for implementation flaws that could be exploited. My favorite would be to find a way to convince all of the devices in the path that somebody else was doing the work. Just like all the solutions being discussed here this would be a complex system with lots of potential for bugs.
The problem is no more difficult than designing a routing protocol. Obviously any complex system will have a higher risk of introducing vulnerabilities. This is true of everything, be it today's firewalls or tomorrow's IDS's.
* Yet another point of incompatibility between network vendors' products ;)
IETF.
If we keep throwing out ideas like these maybe Marcus will finally find one he can get rich on. :*0
Only if he send me those stickers that he promised. ;)
--- Paul M. Cardon First Chicago NBD Corporation
Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 17)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 17)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
- Re: Important Comments re: INtrusion Detection Doug Hughes (Feb 18)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 15)
- Re: Important Comments re: INtrusion Detection marc (Feb 15)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)