Firewall Wizards mailing list archives
Re: Intrusion Detection Systems, Best of breed?
From: "Marcus J. Ranum" <mjr () nfr com>
Date: Wed, 26 Dec 2001 09:29:55 -0500
Lance Spitzner wrote:
Since we are talking about defence in depth, how about the use of honeypot technologies to add to detection? Honeypots have the advantage of reducing false positives while capturing false negatives.
The bit about reducing false positives is critical. The way I like to think of it, what you're doing is "being the window" :) In conventional burglar alarms you usually detect intrusions behind the perimeter - in terms of my previous posting, they're "intrusion detection" technologies - you try to detect the Bad Guys after they have done Bad Things. This reduces (often dramatically) the chance you'll get a false positive because by the time you even start trying to do the detect, it's pretty clear according to your policy that something has gone wrong. In the "attack detection" analog, you'd have to try to watch the possible Bad Guy and assess whether or not his actions were hostile until you had clear evidence of hostility. This increases the chances of both false negatives and false positives. So imagine you're building an IDS for a real-world window. In the attack detection paradigm, you put your cameras and sensors on the outside of the building, watching the window from the outside. Any time someone walks up to the window the system goes on alert and starts doing whatever it can to categorize what it sees - is he getting too close? Does he have a crowbar? Is he dressed like a window-washer? Etc. It's a lot of work and the system can be fooled by changes in patterns. On the other hand, it's the only technique that has a chance of detecting an attack _before_ it's completed. In the intrusion detection paradigm you're sitting on the other side of the window with a shotgun, and when someone comes through you know right away that they have no business being there and can get the drop on them. Good news is that it's pretty easy. Bad news is that you've got a Bad Guy in your house to deal with. With a honey pot, you put up a fake window. The fake window has lots of sensors on it, some on the latch, some on the glass, etc. When someone breaks the glass it beeps "someone just broke my glass! obvious hostile intent!" When someone touches the latch it beeps "someone touched my latch. may be a probe." When someone tries to turn the latch it beeps "someone tried to turn the latch. obvious hostile intent!" - You've got a great chance to not only detect but diagnose because you don't have to provide a working production-quality service. mjr. --- Marcus J. Ranum Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Personal: http://www.ranum.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Intrusion Detection Systems, Best of breed?, (continued)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Ofir Arkin (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Lance Spitzner (Dec 27)
- RE: Intrusion Detection Systems, Best of breed? franks (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? Robin S. Socha (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 26)
- Re: Intrusion Detection Systems, - Honeypots? Lance Spitzner (Dec 27)
- Re: Intrusion Detection Systems, - Honeypots? R. DuFresne (Dec 28)
- Re: Intrusion Detection Systems, - Honeypots? Lance Spitzner (Dec 28)
- Message not available
- Re: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 26)
- RE: Intrusion Detection Systems, Best of breed? Marcus J. Ranum (Dec 24)
- RE: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 25)
- Re: Intrusion Detection Systems, Best of breed? Talisker (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? R. DuFresne (Dec 26)
- Re: Intrusion Detection Systems, Best of breed? John Adams (Dec 26)