RE: Time for a new FWTK?

[Craig Brozefsky <craig () onshore com>]

On Thu, 27 Nov 1997, Bret Watson wrote:

> If the application proxy can be likened to bank cashier and stateful
> filtering to a front desk security guard then how about the concept of
> CPTED? (crime Prevention through environmental design - for those without a
> physSec background)
> Where the 'firewall' watches all that happens on the network and reports
> when activities are suspicious or new so that the heavies can come in -
> otherwords something like RealSecure on Steriods...

What kinds of analysis would this entail, in particular what details 
would be needed from the packets, what data would you want to keep 
around, what types of analysis would you think would be neccesarry to get 
anything near a suitable, somewhat reliable mechanism for detecting 
changes in traffic patterns, or more subtle attacks?

There are so many different methods of attack, and vectors that network 
traffic patterns can change on, perhaps it would do good to define and 
list those vectors of change in network access patterns first.  You would 
want some sort of time-domain to track the changes in at least, a way to 
describe various protocols and therefor track changes across them.  You 
would maybe want to identify some major protocol types.  Maybe a way to 
define sequences in a generic manner so you could model various 
handshaking and service request methods.  Then you have to have a way to 
codify current traffic patterns, in order to identify anomolies.

Tho for some reaons I think that this "reactive" securty software has a 
long way to go from pipe dream, to effective software tool.

Craig Brozefsky              craig () onshore com
onShore Inc.                 http://www.onshore.com/~craig
Development Team             p_priority=PFUN+(p_work/4)+(2*p_cash)
I hear my inside, the mechanized hum of another world - Steely Dan