Okay, okay, I tried to keep my mouth shut... Gary, I don't think Marcus was attacking other products -- he's attacking a frame of mind which is all too prevalent, but by no means as common as he is portraying. Here's my point of view. For my first three years in this industry I designed, maintained, and documented the network security system for a mid-sized software company in the Midwest US. Not by any means a high-profile target for hackers (at least external ones) -- but an organization with great sensitivity to security issues, especially regarding attempts at inappropriate access to confidential data (electronic medical records spring to mind). The firewall system that I installed included a lot of the same functionality now being sold as stand-alone intrusion detection systems (which confused me to no end when IDS first appeared as a stand-alone, cos' I didn't see what it was doing for me that the firewall didn't cover, at least as regards external attacks). At the beginning of my tenure, I did have the luxury of being able to investigate firewall alarms -- which gave my personal neural net a chance to educate itself about what sort of patterns indicated a human attack, and what sort of patterns were probably something harmless. So one potential value of an IDS is as a training tool -- assuming that you've got some hope of picking a tool developed by humans more clueful than you are. Another value that the firewall IDS provided, even when an attack was unsuccessful, was as an indicator of attempted violations of policy either by my employer's personnel, or people at client sites. In that case -- where I had at least rudimentary acceptible use guidelines -- I could "prosecute" the incident whether or not it was successful. In an organization with even rudimentary policy guidelines in place, the requirements for "prosecutable" evidence are not so high as in a court of law -- and I did manage to take disciplinary actions in a couple of more serious situations. And of course, by the time I left the policy guidelines were a lot less rudimentary ;-) As time went on, and I became more over-worked, I got less careful at investigating the "meaningless" alarms, but I didn't turn them off. If I hadn't spent the time at the beginning to educate myself, I wouldn't have had any idea of what was safe to ignore. And don't underestimate the value of keeping track of the clueless twinks. CFO's, executives and the FDA >>love<< that sort of statistic -- which is what gets us cybercops the budget for the next generation of toys, er, tools... cheers -- Tina Gary Crumrine wrote: > > Well thank you Mr. Ranum, another world according to Marcus speech. I am > trying to figure out where you are coming from on this one Marcus. ...clipped for brevity... > -----Original Message----- > From: Marcus J. Ranum [SMTP:mjrat_private] > Sent: Tuesday, April 14, 1998 1:04 PM > To: firewall-wizardsat_private > Subject: Re: Intrusion Detection > > > To me the big open question in ID is "why?" not "what?" > > If you have a network you believe to be vulnerable to the attacks > listed above - FIX THEM. If you've fixed them, then why do you care if > someone uses them against you? Are you actually going to backtrack and > try to prosecute? Good luck! ...clipped for brevity....
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:38 PDT