IDS mailing list archives

Re: IDS thoughts

From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Mon, 02 Jun 2003 19:00:08 -0700


Stefano Zanero writes:

Here you are talking about enforcement, not detection... as long as you can
enforce a rule, there's no need to resort to detection. Detection is useful
when you cannot state or enforce an a priori rule on something.


I disagree.  Anytime you have an interface between zones of different risk,
liability, threat, or whatever, there should be:

        -A policy which enunciates and addresses this difference
        -A mechanism for enforcing this policy
        -A mechanism for auditing the enforcement of this policy

As I have (publically, and quite possibly on this list) opined before, to
do otherwise is to rely on voodoo and wishful thinking.

A full-bore formal policy document, firewall-type perimeter defence, and
NIDS architecture is not, of course, necessary for all such interfaces.  For
some, voodoo and wishful thinking may well be sufficient.  But just because
you've got an enforcement mechanism in place in no way suggests that you
don't need a policy monitoring system.

Indeed, I think it's a (prevalent) GCE not to assume that (all else being
equal) there should be -discrete- enforcement and monitoring mechanisms.  My
contention is:

        -The most important behaviour of any security device is its failure
         mode
        -Very few security devices can be relied upon to provide rigourous
         information surrounding their own failure modes[0]

...and therefore...

        -A discrete auditing mechanism should accompany any security device
         whose failure is likely to distress the analyst responsible for it

Admittedly, this point of view is probably a reasonably challenging sell
to The Mgmt. for most of us at the moment...but this has nothing to do
with the validity of the underlying concept:  If a policy is worth enforcing,
it's worth monitoring.





-spb

-----
0       Certainly not without a nontrivial amount of tweaking, and very seldom
        in a fashion which is suitable for incorporation into an incident
        response alert/triage process.

Attachment: _bin
Description:

Current thread:

Re: IDS thoughts Stefano Zanero (Jun 02)
- Re: IDS thoughts Stephen P. Berry (Jun 02)
  - Re: IDS thoughts Raistlin (Jun 03)
    - Re: IDS thoughts Stephen P. Berry (Jun 03)
- <Possible follow-ups>
- Re: IDS thoughts Jimi Thompson (Jun 02)