Firewall Wizards mailing list archives

Re: Intrusion Prevention Firewall

From: Crispin Cowan <crispin () wirex com>
Date: Tue, 02 Apr 2002 10:40:19 -0800

dont wrote:

On Mon, 18 Mar 2002, Pieper, Rodney wrote:

The IDS field is not currently 'mature' enough for automating reacting. We
need predictive IDS not reactive.

The term itself was coined, I believe in 1980, and the field has
progressed little since the 80's, patially because it is a moving target.
This discussion itself has shown part of the reason why:  the lack of
clarity of what the term actually encompasses.  I separate the whole issue
of intrusion response from the problem of actually detecting it.

"Intrusion Detection" is what you call it when your security mechanismis so slow, innacurate, or otherwise broken that you cannot actually useit as an access control policy :-)


Consider the firewall vs. the network IDS box:

   * They both have a policy set that categorizes packets (or streams
     there of) into "good" and "bad".
   * The firewall's rules are conservative: if it is "bad", it is
     *really* bad, so the firewall blocks it.
   * The NIDS rules are heuristic: if it is "bad", it whines to the
     human, who investigates whether it is really bad.

Consider the host IDS (HIDS) vs. the access control system:

   * Again, both have a policy that categorizes accesses (or patterns
     there of) into "good" and "bad".
   * The access control policy is conservative: if it is "bad" then the
     access is denied.
   * The HIDS is heuristic: if it sees "bad" access patterns, it whines
     to a human who investigates.

This is not to say that IDS is without value. Because IDS is permittedto have a false-positive rate, it can use much more sensitivetechniques, and therefore potentially detect attacks that the accesscontrol system would have missed. The cost is in the administrativeoverhead of having a human read the IDS output and apply further wetwarefilters to it.

But beware: as soon as you hook your IDS to an access control mechanism,so that when the IDS detects something it closes off access, what youhave just done is build a flakey access control policy. If you thoughtthe costs of managing IDSs was high, wait until you try this :)


Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Intrusion Prevention Firewall Crispin Cowan (Mar 31)
- <Possible follow-ups>
- RE: Intrusion Prevention Firewall dont (Apr 02)
  - Re: Intrusion Prevention Firewall Crispin Cowan (Apr 03)
    - Re: Intrusion Prevention Firewall Gary Flynn (Apr 03)
    - RE: Intrusion Prevention Firewall Berny Stapleton (Sydney Technology) (Apr 12)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 16)
    - Re: Intrusion Prevention Firewall Mikael Olsson (Apr 16)
    - RE: Intrusion Prevention Firewall Dave Piscitello (Apr 16)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 17)
    - RE: Intrusion Prevention Firewall Dave Piscitello (Apr 17)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 18)
    - RE: Intrusion Prevention Firewall Mike Shaw (Apr 17)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 02)

(Thread continues...)