Firewall Wizards: Re: Intrusion Detection

[Tina Bird <tbird () iegroup com>]

Okay, okay, I tried to keep my mouth shut...

Gary, I don't think Marcus was attacking other products -- he's
attacking a frame of mind which is all too prevalent, but by no
means as common as he is portraying.

Here's my point of view.  For my first three years in this industry
I designed, maintained, and documented the network security system
for a mid-sized software company in the Midwest US.  Not by any means
a high-profile target for hackers (at least external ones) -- but an
organization with great sensitivity to security issues, especially
regarding attempts at inappropriate access to confidential data 
(electronic medical records spring to mind).  The firewall system 
that I installed included a lot of the same functionality now being
sold as stand-alone intrusion detection systems (which confused me
to no end when IDS first appeared as a stand-alone, cos' I didn't see
what it was doing for me that the firewall didn't cover, at least as
regards external attacks).

At the beginning of my tenure, I did have the luxury of being
able to investigate firewall alarms -- which gave my personal neural
net a chance to educate itself about what sort of patterns indicated
a human attack, and what sort of patterns were probably something 
harmless.  So one potential value of an IDS is as a training tool --
assuming that you've got some hope of picking a tool developed by
humans more clueful than you are.  Another value that the firewall
IDS provided, even when an attack was unsuccessful, was as an
indicator of attempted violations of policy either by my employer's
personnel, or people at client sites.  In that case -- where I had
at least rudimentary acceptible use guidelines -- I could "prosecute"
the incident whether or not it was successful.

In an organization with even rudimentary policy guidelines in place,
the requirements for "prosecutable" evidence are not so high as in
a court of law -- and I did manage to take disciplinary actions in
a couple of more serious situations.  And of course, by the time I
left the policy guidelines were a lot less rudimentary ;-)

As time went on, and I became more over-worked, I got less careful at
investigating the "meaningless" alarms, but I didn't turn them off.
If I hadn't spent the time at the beginning to educate myself, I
wouldn't have had any idea of what was safe to ignore.

And don't underestimate the value of keeping track of the clueless
twinks.  CFO's, executives and the FDA >>love<< that sort of 
statistic -- which is what gets us cybercops the budget for the next
generation of toys, er, tools...

cheers -- Tina

Gary Crumrine wrote:
> Well thank you Mr. Ranum, another world according to Marcus speech.  I am
> trying to figure out where you are coming from on this one Marcus.  
...clipped for brevity...

> -----Original Message-----
> From:   Marcus J. Ranum [SMTP:mjr () nfr net]
> Sent:   Tuesday, April 14, 1998 1:04 PM
> To:     firewall-wizards () nfr net
> Subject:        Re: Intrusion Detection
>
>
>         To me the big open question in ID is "why?" not "what?"
>
>         If you have a network you believe to be vulnerable to the attacks
> listed above - FIX THEM. If you've fixed them, then why do you care if
> someone uses them against you? Are you actually going to backtrack and
> try to prosecute? Good luck!
...clipped for brevity....