Re: Thinking about Security rules...

[Geoff Galitz <galitz () chem berkeley edu>]

Hiya,

Hmmm... this does sound like a good topic for a paper.  ;)

I suspect you won't find anything that directly addresses
your issues on a generic level, but you can look at individual
IDS' with response capabilities.  These include;

        - dynamic routing adjustments (host or router)
        - dynamic service wrapping adjustments (host)

And reading old archives about what can happen when
you have active host response versus passive host response.

You will find, I think, that if you draw closer to what you are
looking for, you find yourself tied to certain technologies.
There is nothing wrong with that in general, but is something
to be aware of.

Some of standard message passing system aimed directly
at this need would be nice, and I think it has been tried, but
to my knowledge there is nothing out there that allows for
complete freedom without a lot of development work on
the part of your own organization.

One last note... I was working on something like this at one
point, myself.  It was some snort sensors dumping events into
a MySQL database with some perl scripts which did some
analysis and also some follow-up measures (completely
within our own network) to determine if there was any change
to the host after the event was logged).

I didn't get a lot help and other things needed to be done
around here, so the project kind of went into hiatus.  The goal
was come up with an automated system that did some analysis
to determine what would be a false alarm, what would be
a particularly vulnerable system or network, along with some
other tracking issues which are not purely security related
(DNS management and tracking).  It is probably more focused
than what you are looking for, but feel free to take a look at
these old web pages.  Note that they are way out of data and
really online for archival purposes more than anything else.

If you (or anyone else) wants any other bits that are there
or wants to help pick up the ball again, just drop me a letter.

Here is the URL:

http://www.cchem.berkeley.edu/College/unix/proj/

-geoff

On Tuesday, May 14, 2002, at 10:54 AM, Rhino Bond wrote:

> Folks,
>
> Just to clarify what we are looking for.  We know how
> to configure all the seperate parts (routers,
> firewalls, IDS, etc.).  We were wondering if anyone
> ever wrote a white paper on creating an engine to
> automate/manage all the individual parts.  So far I
> have found nothing.  This is a Herculian project I
> think...  However I want to thank everyone for their
> contributions to this tread, they were all very
> interesting.
----------------------------------------------------------------------------------------------
"Computer games don't affect kids; I mean if Pac-Man affected us as
kids, we'd all be running around in darkened rooms, munching magic
pills and listening to repetitive electronic music."
          - Kristian Wilson, CEO, Nintendo Gaming Corporation, Inc, 1989