Marcus, --- On Wed, 15 Apr 1998 17:19:48 -0400 "Marcus J. Ranum" <mjrat_private> wrote: >Eric Maiwald writes: >>I think you are missing one important capaiblity of attack >>recognition tools, if I place the tool inside my firewall, >>I can configure it to tell me if my firewall is not behaving correctly. > > Yeah! This is what I'm talking about! > > What's interesting in this example (the firewall) is the >assumption that your IDS can understand what "correct" behavior >of the firewall is. What that means is that you'd be able to >invert the firewall's policy, or somehow have an IDS that was >coupled to your understanding of what should and should not >work through the firewall. I think a word of caution is in order here. There seems to me to be a great danger if the coupling between "understanding of what should and should not work through the firewall" and IDS configuration is too automatic. That is, if the firewall were to generate the IDS configuration information, errors in the policy as configured into the firewall would likely be transferred to the IDS. In many ways it would be nice to have some universal sort of way to explain policy to devices, but in doing so machine misinterpretation of that policy might distribute errors to multiple devices. I'm far from saying that I have even a really strong clue how to deal with this in a clean way, but too tight a coupling could lead to a serious problem, as I see it. --john ------------------------------------- Name: John McDermott VOICE: 505/377-6293 FAX 505/377-6313 E-mail: John McDermott <jjmat_private> VP, J-K International, Ltd. Writer and Computer Consultant -------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:19 PDT