|
Firewall Wizards
mailing list archives
Re: Intrusion Detection
From: John McDermott <jjm () jkintl com>
Date: Thu, 16 Apr 98 16:36:07
Marcus,
--- On Wed, 15 Apr 1998 17:19:48 -0400 "Marcus J. Ranum" <mjr () nfr net>
wrote:
Eric Maiwald writes:
I think you are missing one important capaiblity of attack
recognition tools, if I place the tool inside my firewall,
I can configure it to tell me if my firewall is not behaving correctly.
Yeah! This is what I'm talking about!
What's interesting in this example (the firewall) is the
assumption that your IDS can understand what "correct" behavior
of the firewall is. What that means is that you'd be able to
invert the firewall's policy, or somehow have an IDS that was
coupled to your understanding of what should and should not
work through the firewall.
I think a word of caution is in order here. There seems to me to be a
great danger if the coupling between "understanding of what should and
should not work through the firewall" and IDS configuration is too
automatic. That is, if the firewall were to generate the IDS configuration
information, errors in the policy as configured into the firewall would
likely be transferred to the IDS.
In many ways it would be nice to have some universal sort of way to explain
policy to devices, but in doing so machine misinterpretation of that policy
might distribute errors to multiple devices.
I'm far from saying that I have even a really strong clue how to deal with
this in a clean way, but too tight a coupling could lead to a serious
problem, as I see it.
--john
-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjm () jkintl com>
VP, J-K International, Ltd.
Writer and Computer Consultant
-------------------------------------
 By Date 
By Thread
Current thread:
- RE: Intrusion Detection, (continued)
|
Intro
