Firewall Wizards mailing list archives

RE: IDS data collection _outside_ of a firewall

From: Marc Delince <marc.delince () computer org>
Date: Thu, 28 Jan 1999 07:52:09 -0500

What is missing?

You want something simple, comparable to a video camera? Use a network sniffer connected to a disk farm + tapes. Now 
nobody will ever be reading the recorded data probably if only because of the huge quantity of irrelevant data logged.

But if you have a legal investigation, you probably (I am not a lawyer) could use the traces as evidence (like the 
cameras).

Now if you also want to have someone to look at the current "images" (events), like they do in security guards rooms 
with the cameras, you could use an IDS to extract the "interesting events out of the millions of packets flowing on 
your network connection.

Does this mean you need a sniffer and an IDS? May be... ask your lawyer/legal department/... On my part, I believe that 
a good IDS that will display the major event (should only be very few) to the SOC (Security Operating Center) or 
whoever is responsible for security AND start logging the traffic when any interesting traffic is detected (could be a 
lot more events) seems to correspond to my idea of securing my site.

Who could implement this? Anyone. Provided you have the right tool. The tool that will give you a maximum of help to 
understand what is going on, what impact it may have on you. Also the tool that gives you flexibility in detecting 
events and logging traffic.

Just my 0.02$.

Have a terrific day.

Marc Delince
marc.delince () computer org

-----Original Message-----
From:   Dominique Brezinski [SMTP:dom_brezinski () securecomputing com]
Sent:   Wednesday, January 27, 1999 11:04 PM
To:     Marc Delince; 'roger nebel'
Cc:     firewall-wizards () nfr net
Subject:        RE: IDS data collection _outside_ of a firewall

Because the data storage issues have not been refined for IDS like video
surveillance.  At some point we will get an IDS system that is as simple to
operate as the multi-camera video systems available today, but until then
the problem is a bit different.  Your analogy is good in theory--today's
technology is not quite there.

At 07:41 AM 1/27/99 -0500, Marc Delince wrote:

How do you justify installing cameras outside embassies, public buildings, 
... manufacturing plants, ... office buildings? Even if there is nobody to 
watch the cameras in real-time, the tapes can be used when necessary.

Isn't that the non-internet related analogy everyone should use?

Have a great day.

Marc Delince, CISSP
marc.delince () computer org



Dominique Brezinski CISSP                   (206) 898-8254
Secure Computing        http://www.securecomputing.com

Current thread:

IDS data collection _outside_ of a firewall John Kozubik (Jan 20)
- Re: IDS data collection _outside_ of a firewall Dominique Brezinski (Jan 21)
  - Re: IDS data collection _outside_ of a firewall roger nebel (Jan 26)
- <Possible follow-ups>
- RE: IDS data collection _outside_ of a firewall Burden, James (Jan 27)
- RE: IDS data collection _outside_ of a firewall Marc Delince (Jan 27)
  - RE: IDS data collection _outside_ of a firewall Dominique Brezinski (Jan 28)
- RE: IDS data collection _outside_ of a firewall Marc Delince (Jan 28)
- Re: IDS data collection _outside_ of a firewall John Kozubik (Jan 28)