Re: Important Comments re: INtrusion Detection

[Aaron Bawcom <aaron () bawcom net>]

Marcus J. Ranum wrote:
> > > One other big win that Darren Reed identified at Usenix
> > > was that a proxy IDS can't drop packets. You can't
> > > overload it and sneak packets past that way. If the IDS
> > > can't read the packet, it doesn't get proxied.
>
> Now *THAT* sounds like the mythical Next Breakthrough in
> firewalls.
  When considering possible solutions to questions derived
from the Secure Networks report, the ability to 'not miss'
information that would otherwise be available such as
packets traversing the network seems to be a pre-requisite.
Indeed, it seems that the NGF will as well operate at the
choke point of a network but will differ from current
firewalls in that it will simply 'look at more'. The
industry will exist in the space of 'how much' and 'in
what way'.
  However, the granularity afforded to such a solution
is still not within the bounds necessary to offer
the accuracy suggested by the Secure Networks report.
  It seems that a security solution that has such facilities
will break a mantra used by the security community for quite
some time. The idea that security is an added feature, an
extra bullet on the box, an extra process in memory, another
machine on the network. Even the most lax form of security
in the analog world is so inane to the way we live and work
we underestimate it's practicality. The fact is, we take for
granted our built in tools of sight and sound to let us know
that the door to Johnny's room is cracked when it usually
isn't. Only when the concept of 'policy' or 'trust' can be
divided to the level of a basic building block of the
functioning system will we be able to maximize information
sharing.
  This idea was aptly portrayed by Chevy Chase in the movie
classic "Caddy Shack" when he said,
"Don't hit the ball. Be......be.....the ball"

aaron () bawcom net
No affiliation with Bawcom Communications

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature