Firewall Wizards mailing list archives
Re: future of IDS
From: andrew.stewart () db com
Date: Tue, 20 Oct 1998 09:47:53 +0000
Steve, I believe something that approximates what your looking for is the CIDF project: http://olympus.cs.ucdavis.edu/cidf/ - Andrew J. Stewart, Security Engineer, Deutsche Bank, London. (Embedded image moved steve @ aztech.net to file: 10/17/98 05:43 AM pic06134.pcx) Please respond to steve () aztech net To: vern @ ee.lbl.gov cc: firewall-wizards @ nfr.net Subject: Re: future of IDS My personal horse-to-beat has been a variant of Vern's option #3. While passive monitoring is useful in and of itself, I think that security-aware applications need to be able to communicate directly with an IDS and convey information that is best available to the application itself. For example, wouldn't it be neat if there was a standardized, IDS-aware, and reliable way for applications to indicate that "Required authentication failed for resource X, reason Y" "Reason Y" is information that won't necessarily be available to a passive IDS, but can be used by an IDS in determining what action to take in response: extra logging, shunning, whatever. IMHO, niether syslog nor SNMP "cut it" for this purpose. The IDS would not have to be taught how to decipher each new protocol, it would instead understand the standard "Hey, IDS, here's an auth-failed message, take note!" This also serves to distribute the CPU processing required in order to handle a given connection. Properly designed, a "participatory" IDS aleviates a lot of the work that a passive IDS has to do, and simplifies things tremendously. It's Friday, It's late, I haven't fleshed these ideas out too well. Hopefully someone else can/will pick it up and run with it. (or a different someone will chose to pick holes in my relatively random rant.) Regards, -- Steve Vern Paxson wrote:
With the likelihood that more and more hubs are going to disappear and be replaced by switches, where does that leave the humble IDS that can no longer see all the traffic it needs to, to do its job?THe IDS folks have been aware of this pending problem for a while. The basic approaches are (1) use an explicit tap on the switch, (2) build the IDS into the switch (or get the switch to cooperate with the IDS), (3) get the end hosts to chip in and function as IDS sensors. Vern
Attachment:
pic06134.pcx
Description:
Current thread:
- RFC blitzkreig server, (continued)
- RFC blitzkreig server dreamwvr (Oct 23)
- Re: future of IDS Vern Paxson (Oct 19)
- Re: future of IDS Owen O'Connor (Oct 23)
- Re: future of IDS Vern Paxson (Oct 19)
- Re: future of IDS David Lang (Oct 23)
- Re: future of IDS Ken Hardy (Oct 27)
- Re: future of IDS David Lang (Oct 23)
- RE: future of IDS Doug Hughes (Oct 19)
- Re: future of IDS Darren Reed (Oct 23)
- Re: future of IDS Doug Hughes (Oct 23)
- Re: future of IDS Darren Reed (Oct 23)
- RE: future of IDS Brock, Todd (Oct 23)
- Re: future of IDS andrew . stewart (Oct 23)
- Re: future of IDS Vern Paxson (Oct 28)
- Re: future of IDS Ryan Russell (Oct 29)
- Re: future of IDS Ryan Russell (Oct 29)
- RE: future of IDS Peter Vanderborght (Oct 29)