Intrusion Detection and Secuirty Policy

From: Bill_Roydsat_private
Date: Thu Apr 16 1998 - 08:22:15 PDT

Next message: Russ: "RE: When to do something about detected attacks (was Re: how to d"

Previous message: emaiwaldat_private: "Re: Intrusion Detection"
Next in thread: Russ: "RE: Intrusion Detection and Secuirty Policy"
Reply: Russ: "RE: Intrusion Detection and Secuirty Policy"
Reply: Damir Rajnovic: "Re: Intrusion Detection and Secuirty Policy"
Reply: David Collier-Brown: "Re: Intrusion Detection and Secuirty Policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Marcus J. Ranum wrote:
   I built a lot of firewalls, and I've seen a lot of firewalls
   installed every which way but backwards. The reason I am going out
   on a limb here is to try to get folks to build the right things
   into their IDS' early on! Before it's too late! If I could go back
   in time, I'd'a built firewalls that had "policy writing wizards"
   that you could walk through and which would not only configure
   the firewall but give you a hardcopy risk assessment of the policy
   you built. Templates, too. We need the same kind of stuff for IDS.
   Or they will also be complicated, obscure products that get
   installed and ignored and finally unplugged. I'd hope that the
   fact that I am saying this in a public forum, effectively giving
   advice to potential competitors, will serve as proof of my
   earnest or foolishness or both.



One problem that a  needs to be addressed is a "Security Policy Language"
which would be a formal notation for writing security policies that would
be both
explainable to managers and executives and verifiable in a formal sense.
There has been work done on this in programming language verification
(Euclid and stuff from late 70's) but it ended up being too "mathematical"
for real world use. The tradeoff between ease of use and completnenss has
always been one of the deisgn problems in all computer software. It is a
hard problem as any firewall  make can tell you. If you make a nice
friendly GUI to sell the product, it becomes an obstacle to actually using
the product in daily business.

   Perhaps the next security product is not at the detection level but at
the policy generation level. An expert system that allows one to view
security policies so that the expected behaviour of both the people and the
system is compared with past experience and with required data to monitor
this behaviour. THis kind of high thought level software has always been
harder to create than circuit level stuff, but it is the most important for
actually getting results.


    Bill Royds
    Internet Security Manager
    Department of Canadian Heritage

Next message: Russ: "RE: When to do something about detected attacks (was Re: how to d"
Previous message: emaiwaldat_private: "Re: Intrusion Detection"
Next in thread: Russ: "RE: Intrusion Detection and Secuirty Policy"
Reply: Russ: "RE: Intrusion Detection and Secuirty Policy"
Reply: Damir Rajnovic: "Re: Intrusion Detection and Secuirty Policy"
Reply: David Collier-Brown: "Re: Intrusion Detection and Secuirty Policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:13 PDT