Re: Time for a new FWTK?

[Craig Brozefsky <craig () onshore com>]

On Fri, 28 Nov 1997, Bennett Todd wrote:

> 1997-11-27-04:09:30 Craig Brozefsky:
> > Tho for some reaons I think that this "reactive" securty software has a 
> > long way to go from pipe dream, to effective software tool.
>
> If you haven't done so yet, I encourage you to take a look at Network
> Flight Recorder[1]. I'm reading the manuals now. It looks like a pretty
> nifty piece of work.

I got the source and spent a few days going over it.  I'm pleased that 
the decided to release the source code, for this version at least.

> It's early to say yet whether this implementation will be the successful
> pioneer that carries us through this next revolution, but it certainly
> shows the direction.

I don't think NFR is positioned as a replacement for firewalls, or 
whatever the fruit of the last "revolution" was.  

> Network Flight Recorder is a packet sniffer. It has various layers of
> filtering; there are all sorts of highly-efficient built-in filters and
> data reduction elements, and there's a general-purpose programming
> language in which you can write more; then you get to choose what data
> gets logged and details about how it should be retained. Then you've got
> your query programs and alert monitors.

The extension language is hardly "general purpose" but it does seem 
suitable for the present.  The choice of what data to log is largely 
based upon your policy needs, so I don't see this as some kinda 
omniscient network watchman who detects attacks in progress, and shuts 
them down, but rather as a way to monitor particular aspects of your 
security policy in a centralized, manageable fashion.

> It looks like the kind of flexible tool that will fairly quickly produce
> the answer to the hard question ``what do you _look_ for, to catch
> attacks in the act''.

My remarks that "reactive" software is a pipe dream, were not predicated 
on the inability to monitor succesfully from within a framework, but 
rather that the ability to monitor for a well defined attack (port scan, 
SMTP DEBUG, unauthothorized logins) is one thing, but that protection 
from unknown attack vectors is another.  NFR and others like it are 
definetly welcome tools, and please don't take my comments as an attempt 
ot belittle them, but I don't see them as a 'revolution' because their 
principles have been practiced for awhile already.

I don't think there is an answer to that question either, "what do you 
_look_ for, to catch attacks in the act"  and I think that such a goal is 
misdirected because the vectors of attack are so varied.  


Craig Brozefsky              craig () onshore com
onShore Inc.                 http://www.onshore.com/~craig
Development Team             p_priority=PFUN+(p_work/4)+(2*p_cash)
I hear my inside, the mechanized hum of another world - Steely Dan