Re: Intrusion Detection

From: Marcus J. Ranum (mjrat_private)
Date: Wed Apr 15 1998 - 14:31:02 PDT

Next message: Marcus J. Ranum: "Re: Intrusion Detection"

Previous message: Wright, Steven: "RE: Intrusion Detection"
Maybe in reply to: shantanu bhattacharya: "Intrusion Detection"
Next in thread: Marcus J. Ranum: "Re: Intrusion Detection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Adam Shostack writes:
>	5) To detect the fact that you've been hooked up to YA
>extranet without any protection.

	Or notification! :) I forgot that one. :) For lack of a
better term, at NFR we've been calling this kind of thing
"change notification."

	"Hello! A new ethernet address just appeared on subnet 16 that
is emitting IP with hopcount greater than one!"

	Is that a security alert or a network management alert?
I guess it depends on whether you expected the thing to appear
when it did, or not! :)

>	Also, allow me to clarify my point from yesterday (the one
>Marcus disagreed with 180 degrees).  In talking about attack
>detection, I meant useful in the sense "the value you can extract from
>what you buy," not useful in the sense that you get more time to not
>be at work.

	Aha -- that's the root of our confusion (I was surprised
to find myself disagreeing with Adam) :)  My take, as a pointy
hair suit, is that time my network manager spends doing security
is a loss against time they could have spent growing the network
or directly building shareholder value. So I only want them to
be messing with intrusion alarms and backtracks in the event
that it's an attack that will cost me money if it's not addressed
immediately. Attacks that I know my security system will likely
block are nothing I care about because I don't want my staff
spending time tracking down every scriptkid that tries my
network.

>	The value you get from a Bro or one of its commercial
>relatives is that you know you're under attack.  (Inset Aleph's
>comments here.)  It detects attacks, not intrusions.

If you could somehow extend that to say "it detects attacks
that appear to be potentially successful" then you'd get my
money. :) The skilled attacker, unfortunately, isn't going to
run SATAN against my network as a courtesy to tickle my IDS
before he zaps through my firewall with Cthulhu-5.0 and ghosts
into my WAN. :(  I don't see a way we can build a programmatic
model for threat level escalation, when there's really not much
correlatable cross-event information. This is not like a military
environment, where the satellite recon can detect tanks moving
weeks before the jump off. :(  :(  :(

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Next message: Marcus J. Ranum: "Re: Intrusion Detection"
Previous message: Wright, Steven: "RE: Intrusion Detection"
Maybe in reply to: shantanu bhattacharya: "Intrusion Detection"
Next in thread: Marcus J. Ranum: "Re: Intrusion Detection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:47 PDT