Re: Intrusion Detection

["Mark Horn [ Net Ops ]" <mhorn () funb com>]

I know that I'm kicking a dead horse, but just one question...

Marcus J. Ranum says:
>       What's interesting in this example (the firewall) is the
> assumption that your IDS can understand what "correct" behavior
> of the firewall is. What that means is that you'd be able to
> invert the firewall's policy, or somehow have an IDS that was
> coupled to your understanding of what should and should not
> work through the firewall. That's what I've been calling this
> "policy-based IDS" stuff: when you know a priori what should and
> shouldn't happen and look for cases where what shouldn't happen
> is happening. 

Can't this be done with two firewalls in series?  Both firewalls would
have the same rule set, with one exception.  The outer firewall has a
default deny rule that simply drops stuff.  The inner firewall, has a
default deny rule that drops stuff, and sets off an alarm to the
administrators.  If the administrators ever get an alarm from the inner
firewall, they know that the outer firewall is permitting things it
shouldn't, or that the rulesets are out of sync.  This could even be done,
crudely, with a router as the outer firewall.

This is not, by any means, perfect.  But isn't this a rudimentary policy
based IDS?

-- 
Mark Horn <mhorn () funb com>

PGP Public Key available at: http://www.es.net/hypertext/pgp.html
PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1