IDS mailing list archives
Re: IDS thoughts
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Mon, 02 Jun 2003 19:00:08 -0700
Stefano Zanero writes:
Here you are talking about enforcement, not detection... as long as you can enforce a rule, there's no need to resort to detection. Detection is useful when you cannot state or enforce an a priori rule on something.
I disagree. Anytime you have an interface between zones of different risk, liability, threat, or whatever, there should be: -A policy which enunciates and addresses this difference -A mechanism for enforcing this policy -A mechanism for auditing the enforcement of this policy As I have (publically, and quite possibly on this list) opined before, to do otherwise is to rely on voodoo and wishful thinking. A full-bore formal policy document, firewall-type perimeter defence, and NIDS architecture is not, of course, necessary for all such interfaces. For some, voodoo and wishful thinking may well be sufficient. But just because you've got an enforcement mechanism in place in no way suggests that you don't need a policy monitoring system. Indeed, I think it's a (prevalent) GCE not to assume that (all else being equal) there should be -discrete- enforcement and monitoring mechanisms. My contention is: -The most important behaviour of any security device is its failure mode -Very few security devices can be relied upon to provide rigourous information surrounding their own failure modes[0] ...and therefore... -A discrete auditing mechanism should accompany any security device whose failure is likely to distress the analyst responsible for it Admittedly, this point of view is probably a reasonably challenging sell to The Mgmt. for most of us at the moment...but this has nothing to do with the validity of the underlying concept: If a policy is worth enforcing, it's worth monitoring. -spb ----- 0 Certainly not without a nontrivial amount of tweaking, and very seldom in a fashion which is suitable for incorporation into an incident response alert/triage process.
Attachment:
_bin
Description:
Current thread:
- Re: IDS thoughts Stefano Zanero (Jun 02)
- Re: IDS thoughts Stephen P. Berry (Jun 02)
- Re: IDS thoughts Raistlin (Jun 03)
- Re: IDS thoughts Stephen P. Berry (Jun 03)
- Re: IDS thoughts Raistlin (Jun 03)
- <Possible follow-ups>
- Re: IDS thoughts Jimi Thompson (Jun 02)
- Re: IDS thoughts Stephen P. Berry (Jun 02)