Re: CRIME IDS, or content filtering

From: Crispin Cowan (crispin@private)
Date: Fri Apr 12 2002 - 18:33:42 PDT

Next message: Wil Cooley: "Re: CRIME Perspective on Criticisms leveled at Microsoft"

Previous message: Seth Arnold: "Re: CRIME Perspective on Criticisms leveled at Microsoft"
In reply to: Zot O'Connor: "CRIME IDS, or content filtering"
Next in thread: Toby: "Re: CRIME Perspective on Criticisms leveled at Microsoft"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Zot O'Connor wrote:

>On Fri, 2002-04-12 at 14:37, Toby wrote:
>
>>Yes, but ZoneAlarm is NOT an IDS. It is a firewall with some other
>>abilities because it is on a host. Run IIS on two systems- load blackICE on
>>
>What does examining the protocol make BlackICE and IDS?  I would
>
Quoting verbatim from my post last week to firewall wizards:

"Intrusion Detection" is what you call it when your security mechanism 
is so slow, innacurate, or otherwise broken that you cannot actually use 
it as an access control policy :-)

Consider the firewall vs. the network IDS box:

    * They both have a policy set that categorizes packets (or streams
      there of) into "good" and "bad".
    * The firewall's rules are conservative: if it is "bad", it is
      *really* bad, so the firewall blocks it.
    * The NIDS rules are heuristic: if it is "bad", it whines to the
      human, who investigates whether it is really bad.

Consider the host IDS (HIDS) vs. the access control system:

    * Again, both have a policy that categorizes accesses (or patterns
      there of) into "good" and "bad".
    * The access control policy is conservative: if it is "bad" then the
      access is denied.
    * The HIDS is heuristic: if it sees "bad" access patterns, it whines
      to a human who investigates.

This is not to say that IDS is without value. Because IDS is permitted 
to have a false-positive rate, it can use much more sensitive 
techniques, and therefore potentially detect attacks that the access 
control system would have missed. The cost is in the administrative 
overhead of having a human read the IDS output and apply further wetware 
filters to it.

But beware: as soon as you hook your IDS to an access control mechanism, 
so that when the IDS detects something it closes off access, what you 
have just done is build a flakey access control policy. If you thought 
the costs of managing IDSs was high, wait until you try this :)

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

Next message: Wil Cooley: "Re: CRIME Perspective on Criticisms leveled at Microsoft"
Previous message: Seth Arnold: "Re: CRIME Perspective on Criticisms leveled at Microsoft"
In reply to: Zot O'Connor: "CRIME IDS, or content filtering"
Next in thread: Toby: "Re: CRIME Perspective on Criticisms leveled at Microsoft"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:40:42 PDT