> In other words, the administrator will apply site policy to the IDS > by building a filtering layer on top of its alert mechanism. That will > be based on the administrator's knowledge of site policy and local > risk/threat posture. > > We're 100% agreed. But what what I am saying is that the IDS should > be able to permit that tuning directly, by getting that information > from the administrator so the IDS can tailor its behavior to what > it has been told is acceptable/unacceptable/interesting about the > network it's watching. Maybe more of a philosophical point, but I miss something in this whole discussion. We are all agreed (I think) that an IDS should issue a warning when something "interesting" happens or the firewall has been broached - but I do get the feeling that we do not really know what "interesting" means. When the administrator can tailor the IDS to unacceptable/interesting stuff on the net, what he does is transfer his own mindset about security to the IDS. I then have a machine that "thinks" like me, which thus alerts me about facts that I am already aware of - a useful thing that may save some work, but will not help me notice next week's bug being exploited. I may be stupid, but what is "interesting" is something I do not know before an intrusion attempt. Tomorrow's attack may use some technique that is "obviously" safe today, thus bypassing my (human or computer) filtering layer. Using a sufficiently "new" technique, my firewall will probably not notice that it has been broached. What _can_ help me is having a complete log of everything that has been going through the network, which I can then analyze to understand what has happened. An intrusion analysis system, if you will - which so far includes a large human component. -Martin -- Martin Freiss, MF194 | freiss.padat_private | http://www.rmi.de/~marvin Siemens Nixdorf, CC IT Networks, Solution Team Internet/Intranet Half male, half e-mail.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:05 PDT