Vulnerability Development mailing list archives
Re: Thinking about Security rules...
From: Peter Kristolaitis <jester () nt net>
Date: Thu, 09 May 2002 01:05:23 -0400
At my current contract we are trying to come up with a set of rules that is "all inclusive" (as much as possible). Granted a Security Policy is part of it, so are firewall rules, so might be the rules for the IDS.
One important thing to add to this list is an incident response plan. All the policies and rules in the world won't do you any good if you don't have a set course of action for dealing with security breaches (or other disasters). For example, do you quarantine the affected system(s) for investigation, or do you just rebuild from the last clean backup?
When I asked for further clarification on this topic, I was told, "you know something like "fuzzy-logic" that states IF "A" then "Z" (for example a hacker is hacking away at the firewall), BUT if the hacker breaks through the firewall, then We need to jump to IDS rules, so now it's IF B then Y, and if the hacker get's into the corporate piggy bank and steals money, then it's IF C then X...
Hmm... My first impression here is that the person who said this has no idea what "fuzzy logic" actually is. The example you've given is 'cascading' boolean logic, not fuzzy logic. Might want to clarify whether they want fuzzy logic detection algorithms, or simple boolean decisions here. My second thought is why separate all the functions? Basically, why wait until an attacker has penetrated the firewall before activating IDS? I would personally run them concurrently, for an added chance of attack detection (different detection methods, as well as the added redundancy which means that an attacker has to totally disable both systems at the same time to completely avoid detection). One thing about complex systems: Redundancy is A Good Thing(tm). The other thing here... how would you know that an attacker has succesfully penetrated the firewall without IDS running first? If the attack is done properly, the firewall wouldn't know that it's been penetrated, and would thus be unable to start the next step (IDS rules).
Just my thoughts...
Peter Kristolaitis
Current thread:
- Thinking about Security rules... Rhino Bond (May 08)
- Re: Thinking about Security rules... Peter Kristolaitis (May 08)
- RE: Thinking about Security rules... Sean Convery (May 09)
- Re: Thinking about Security rules... f.harster (May 09)
- Re: Thinking about Security rules... Ray Parks (May 09)
- Re: Thinking about Security rules... f.harster (May 10)
- Re: Thinking about Security rules... Harvey Newstrom (May 10)
- Re: Thinking about Security rules... Geoff Galitz (May 13)
- Re: Thinking about Security rules... Rhino Bond (May 14)
- Re: Thinking about Security rules... Geoff Galitz (May 14)
- Re: Thinking about Security rules... Ray Parks (May 09)
- Re: Thinking about Security rules... Peter Kristolaitis (May 08)
- <Possible follow-ups>
- RE: Thinking about Security rules... Mendoza Bazan, Luis - (Per) (May 14)
- Re: Thinking about Security rules... David Hawley (May 14)