Re: future of IDS

[andrew.stewart () db com]

Steve,

I believe something that approximates what your looking for is the CIDF
project:

http://olympus.cs.ucdavis.edu/cidf/

- Andrew J. Stewart, Security Engineer, Deutsche Bank, London.



                                                                  
 (Embedded                                                        
 image moved   steve @ aztech.net                                 
 to file:      10/17/98 05:43 AM                                  
 pic06134.pcx)                                                    
                                                                  



Please respond to steve () aztech net

To:   vern @ ee.lbl.gov
cc:   firewall-wizards @ nfr.net
Subject:  Re: future of IDS




My personal horse-to-beat has been a variant of Vern's option #3.
While passive monitoring is useful in and of itself, I think
that security-aware applications need to be able to communicate
directly with an IDS and convey information that is best available
to the application itself.

For example, wouldn't it be neat if there was a standardized,
IDS-aware, and reliable way for applications to indicate that
"Required authentication failed for resource X, reason Y"
"Reason Y" is information that won't necessarily be available
to a passive IDS, but can be used by an IDS in determining
what action to take in response: extra logging, shunning,
whatever.

IMHO, niether syslog nor SNMP "cut it" for this purpose.

The IDS would not have to be taught how to decipher each
new protocol, it would instead understand the standard "Hey,
IDS, here's an auth-failed message, take note!"

This also serves to distribute the CPU processing required
in order to handle a given connection.  Properly designed, a
"participatory" IDS aleviates a lot of the work that a passive
IDS has to do, and simplifies things tremendously.

It's Friday, It's late, I haven't fleshed these ideas out too well.
Hopefully someone else can/will pick it up and run with it.
(or a different someone will chose to pick holes in my
relatively random rant.)

Regards,

--
Steve

Vern Paxson wrote:

> > With the likelihood that more and more hubs are going to
> > disappear and be replaced by switches, where does that leave the humble
> > IDS that can no longer see all the traffic it needs to, to do its job?
>
> THe IDS folks have been aware of this pending problem for a while.
> The basic approaches are (1) use an explicit tap on the switch, (2) build
> the IDS into the switch (or get the switch to cooperate with the IDS),
> (3) get the end hosts to chip in and function as IDS sensors.
>
>                 Vern

Attachment: pic06134.pcx
Description: