Re: Intrusion Detection Systems, Best of breed?

["Marcus J. Ranum" <mjr () nfr com>]

Lance Spitzner wrote:
> Since we are talking about defence in depth,
> how about the use of honeypot technologies to add to detection?  Honeypots
> have the advantage of reducing false positives while capturing false
> negatives.

The bit about reducing false positives is critical. The way I like to think
of it, what you're doing is "being the window"  :)

In conventional burglar alarms you usually detect intrusions behind the
perimeter - in terms of my previous posting, they're "intrusion detection"
technologies - you try to detect the Bad Guys after they have done
Bad Things. This reduces (often dramatically) the chance you'll get a
false positive because by the time you even start trying to do the detect,
it's pretty clear according to your policy that something has gone wrong.
In the "attack detection" analog, you'd have to try to watch the possible
Bad Guy and assess whether or not his actions were hostile until you
had clear evidence of hostility. This increases the chances of both false
negatives and false positives.

So imagine you're building an IDS for a real-world window. In the
attack detection paradigm, you put your cameras and sensors on
the outside of the building, watching the window from the outside. Any
time someone walks up to the window the system goes on alert
and starts doing whatever it can to categorize what it sees - is he
getting too close? Does he have a crowbar? Is he dressed like a
window-washer? Etc. It's a lot of work and the system can be fooled
by changes in patterns. On the other hand, it's the only technique
that has a chance of detecting an attack _before_ it's completed.

In the intrusion detection paradigm you're sitting on the other side
of the window with a shotgun, and when someone comes through
you know right away that they have no business being there and
can get the drop on them. Good news is that it's pretty easy. Bad
news is that you've got a Bad Guy in your house to deal with.

With a honey pot, you put up a fake window. The fake window has
lots of sensors on it, some on the latch, some on the glass, etc.
When someone breaks the glass it beeps "someone just broke
my glass! obvious hostile intent!" When someone touches the
latch it beeps "someone touched my latch. may be a probe."
When someone tries to turn the latch it beeps "someone tried
to turn the latch. obvious hostile intent!" - You've got a great chance
to not only detect but diagnose because you don't have to provide
a working production-quality service.

mjr.
---
Marcus J. Ranum          Chief Technology Officer, NFR Security, Inc.
Work:                           http://www.nfr.com
Personal:                      http://www.ranum.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards