Re: Real Traffic (was Re: BlackICE IDS)

[tschroed () acm org (Trevor Schroeder)]

On Mon, 6 Dec 1999, John S Flowers wrote:

> Despite the fact that our IDS isn't shipping yet, this is exactly the
> theory that we're using for our vulnerability scanner [aka ARMS] and
> plan to use for the IDS [aka ARMOR].  

Not exactl... The problem is you have a lot of the *same* software... What
I was talking about is different versions of software.  This allows you to
tolerate software-related faults by correlating the results from distinct
versions.  Think of it as hybrid vigor.  Or another way, think of it as
working in a team.  If everyone comes to a similar conclusion, then
there's a much better chance that it's a correct conclusion than if you
come to the conclusion independently.  Even if there are multiple copies
of you, you all still think alike and will probably come to the same
conclusion given the same data set, so it's not the same.

On Mon, 6 Dec 1999, Bruce Potter wrote:

> Maybe a better use of resources would be to use an NIDS with a
> host-based solution.  That way you minimize the amount of duplicate work
> being done while maximizing the overlap in the problem domain (that's
> what you're going for right?  two IDS's that should basically catch the

That's precisely what I'm looking for.

> same attacks using them in parallel to double check each other.  This is
> a total overlap in the problem domain.  this is ideal, but redundant to
> the point that it may not make economic sense).

Economic sense is not so much a concern as feasibility.  The reason I
initially suggested a NIDS is twofold:

        1.  Hosts come and hosts go.  With several thousand hosts,
            managing IDS software on the host can start to be a real pain
            in the ass.  (granted, any decent org. should have a
            appropriate staff to do this, but nevertheless many don't.)
            With NIDS, you have only a handful of units.

        2.  I have a particular environment in mind with thousands of
            hosts.  They come and they go.  They run anything from DU to
            IRIX to Windows NT, 98, or Linux.  And so it goes.  To top it
            all off, the people responsible for securing the system don't
            have access to the hosts except in dire emergency.  Therefore,
            a network-based approach becomes necessary.  Besides which,
            it's easier than trying to get everyone to remember to install
            the HIDS on their new systems.
..........................................................................
: "I knew it was going to cost me my head and also my swivel chair, but  :
: I thought: What the hell--better men than I have risked their heads    :
: and their swivel chairs for truth and justice." -- James P. Cannon     :
:........... http://www.zweknu.org/ for PGP key and more ................: