RE: IDS data collection _outside_ of a firewall

["Burden, James" <JBurden () caiso com>]

1) The word "Quality" seems to be gathering dust.  Metrics may help prove
that your security architecture/policy/products are worth the investment.

Number of attacks
  -------------     = Security justification
Number of breaches

2) Other information may be derived from an IDS on the outside such as; is
the site/company being tested by "script kiddies" or a higher life form...

3) The world is growing smaller and smaller by the day.  Many organizations
operate alone in cyberspace.  They may communicate with another entity, but
do not share security resources as a single unit.  What seems to be the
advantage of the military and government over the commercial world is a
command tiered infrastructure.  This allows the sharing of resources, the
necessary communication protocols, and the trust that is required between
entities (within limits of course).

However, if a group of corporations banded together to form a "Neighborhood
Watch (NW)" program for the outside of the firewalls then this could be
mutually beneficial to all parties involved (Utopia, burn me at the stake
;-).  Then groups of NW sharing info with other NW, or Law Enforcement,
CERT, CIAC...

It may be true that the IDS of today is not ready to share this type of
information, but who knows of the future.

4) A complete repository of all the attacks tried against the outside of the
firewall may provide insights into how the attacker found the hole.  An IDS
on the inside of a firewall will only show the successful attack.  

5) If the firewall is compromised, then you may not have enough forensics to
solve this mystery.  Of course there are caveats such as IDS on the
firewall, or the firewall creating a second log (to CD-ROM), or psychics...

Just some thoughts,
Jim  

James L. Burden, Security Engineer and Architect
California Independent System Operator
41DF 0E4C 26E0 2FD3 8C81  A260 5C40 280E B4AE 7420
____________________________________________
  To Teach is to Learn   - Aaron Nimzovich  
____________________________________________               



> -----Original Message-----
> From: roger nebel [mailto:roger () homecom com]
> Sent: Thursday, January 21, 1999 8:06 PM
> To: Dominique Brezinski
> Cc: John Kozubik; firewall-wizards () nfr net
> Subject: Re: IDS data collection _outside_ of a firewall
>
>
> from my experience with dod and other us agencies, and the largest
> commercial entities (think fortune 10), it's clear to me that 
> dominique
> is dead on correct.  
>
> who cares how many people stopped at the red light?  they stopped, end
> of story, see ya.  it's the jerks who ran it that you are 
> interested in
> ... as one very large retail customer once told me "what could I
> possibly care about that which does not help or hinder us selling
> socks?" 
>
> --roger
>
> Dominique Brezinski wrote:
> > At 10:33 PM 1/19/99 -0800, John Kozubik wrote:
> > > > Also, the comment on having ID sensors outside the 
> firewall is also
> > > > equally flawed.
> > >
> > > I must respectfully disagree.
> > >
> > > Please refer to:
> > >
> > > http://www.nswc.navy.mil/ISSEC/CID/
> >
> > Notice the source of this information - DoD.  As I 
> mentioned in my post,
> > the only organizations that have the resources necessary to 
> implement a
> > cyber threat detection (notice I did not use the term "intrusion
> > detection," ... are DoD ...
>
> [snip]