Re: self authentication for sensors in ids ?

[Michal Melewski <mike () pn66 poznan sdi tpnet pl>]

On Mon, Jan 12, 2004 at 11:28:13PM +0530, Gaurav_Jindal wrote:
> Hi,
Hello

[...]
> (5) Alos please suggest any future directions.
When i was developing my own distributed HBIDS I had a very similar problem -
"How to make sure that remote sensor is still in my own hands."
Here is what I invented.
1. At the beggining sensor works in passive mode (passive mean that it can
only send some kind of heartbeat message) and all communication is
unencrypted.
2. If IDS administrator is sure, that sensor hasn't been compromised he gives
the sensor a password for his gpg key and activate it.
3. When sensor is active he can send alarms and each packet should be signed
and encrypted, and ofcourse supplied with a md5 sum (or better sha1) of
currently running code.
4. Packet is veryfied and accepted by server.

If attacker managed to replace a sensor, the gpg sign wouldn't be valid and
then we know, that something happend.

I had no time to check this idea in practice (lack of time), but within a
month (after the exams) i will try to do something like this.
> Thanking you,
> With Regards,
> Gaurav Jindal

-- 
Michael "carstein" Melewski      |  "Humanistą był Kepler, był Liebnitz.
carstein () poznan linux org pl          |   Człowiek definiujący humanizm jako
mobile: 502 545 913              |   brak umiejętności całkowania
gpg: carstein.c.pl/carstein.txt  |   humanistą nie jest."

---------------------------------------------------------------------------
---------------------------------------------------------------------------