Re: IDS outside of firewall?

[Henry Hertz Hobbit <hhhobbit () icarus weber edu>]

On Mon, 3 Aug 1998, Woody Weaver wrote:

> <little snip>.  I do not believe that for "most
> organizations" an IDS would detect lots of probes every day.  In any event,
> it can provide an estimate of the threat level of the organization.  If I
> put a passive IDS outside wiltelnsi.com (my return address) I would expect
> to see almost no probes -- the company is boring, nothing valuable to steal
> -- and security is designed with that threat level in mind.  If I put a
> passive IDS outside sony.com, where I would expect to see lots of script
> kiddies with probes, the IDS can justify spending resources to be more
> careful about security.

  <big snip>

I worked at a major University that had almost EVERY UNIX computer
on the campus broke into. What did they have? NOTHING! At least
nothing that you couldn't have got via some other way. Universities
by and large are DISSEMINATORS of information, not HOARDERS of it.
The main machines that had payroll, student records, etc. were not
even touched. They were all IBM mainframes and of course measures
had been taken to secure them.

What am I saying? I am saying that content at the site alone is
not the only motivator for a break in. They could be doing it for
one of the following reasons (there are others):

1. They are practicing on your site for bigger game. The script
   kiddies have to start somewhere!

2. They are using your site as a hopping point to cover their tracks.
   This may be harder to do now (doubt it) but it is still a motivator.

3. They are a competitor that is probing to see just what they can
   find out. Yes, I know, you told me that you don't have anything
   of interest at your site. Don't bet on it.

4. Just for the hell(o) of it! Who knows what motivates some of these
   people to do what they do. Look at Mitnick. Can you honestly look
   at him and determine what is going on in that little warped twisted
   mind of his? He could obviously make MUCH MORE MONEY doing something
   legitimately, but there he rots in prison, now hoarding cans of tuna
   and getting in trouble for doing that. For that matter, what about
   the warped and twisted mind of the judges and others that make such
   a big deal about some cans of tuna! Honestly...I would go and ask
   him what he was doing it for, tell him I didn't care and that I had
   to hurry on out of there to get my 9 rounds in at the golf course.

Now I will grant you that an external IDS probably isn't going to
provide you with much of anything for somebody in your position.
But until you put it there, you have a sort of dark question mark
about what is going on out there. I have a feeling that you would
be surprised at the number and kinds of probes that you say aren't
going on.

Just one person's opinion, and maybe not worth much at that...


HHH