The other issue is how to protect the DB from the DBA's that administer it. They are actually the core link in the puzzle. Todd ----- Original Message ----- From: <lbuchanaat_private> To: <LOGANALYSISat_private> Sent: Friday, September 21, 2001 7:21 AM Subject: RE: [logs] Oracle IDS > Hi, > > Ofir Arkin (OA) and Pete Finnigan (PF) posted messages partially quoted > below. > > OA> Oracle security and IDS monitoring of the database is a VERY big issue > OA> when we are talking about major corporations using Oracle as their > OA> master DB of choice. > > Yes it is a big issue. Just purchasing Oracle, the machine to run it on, > hiring and/or training staff, and customizing the database and tools is an > investment with an uncertain payback. > > PF> ... if this is because there is a lack of interest in Oracle security > PF> or because there is genuinely nothing out there. > > There is not much out there because of price of entry. Only organizations > that have significant amounts of data generated by various IDS sensors > would find it useful. My company developed something called Voyeur, and > the current version uses Oracle. I am not certain what the status is of > Voyeur as the people who developed it have left the company. It was > orginally developed around MySQL, but MyQSL could not handle the volume of > data that was generated by some of our clients. > > PF> ... i have decided to write an Oracle IDS myself. > > Go for it. > > PF> ... whether it will be free or commercial, ... > > Do both. I would suggest that you actually design your IDS to use both > Oracle and MySQL (or similar database). The free version would only > provide basic IDS functionality, and the commercial version would have > value added features. > > PF> ... what features they feel would be important ... > > Feature number one would be security of the database. The collected > information would be very valuable to any potential attacker. Severely > limit access to the entire database. > > Feature number two would be to use the database for more than IDS. The > collected information should be considered to be part of "corporate > history". > > I don't know if I would want to use the database for realtime monitoring. > Realtime monitoring should be done on the data prior to storage in the > database. I would say the focus of the analysis on the database should be > looking at time periods ranging from a couple of days to a few months. > > PF> Not sure about an interface ( GUI ) yet, maybe Java based. > > Java or HTTP. Both are platform independant and you have lots examples to > draw upon. > > PF> The signatures will be easy to define and be stored in the > PF> database encrypted. > > What is the point of encryption? Where is/are the decryption key(s) kept? > > Returning to the issue of free or commercial, you really need to decide > this early on as this will influence key design and implementation > decisions. If you decide on free, then use your own environment and needs > to guide these decisions. Otherwise, you will need to consider a much > wider set of issues on which to base your decisions about the design and > implementation. > > Good luck & B Cing U > > Buck > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: loganalysis-unsubscribeat_private > For additional commands, e-mail: loganalysis-helpat_private > --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Sep 21 2001 - 10:02:44 PDT