Firewall Wizards mailing list archives
Re: future of IDS
From: "Stephen P. Gibbons" <steve () aztech net>
Date: Fri, 16 Oct 1998 21:43:45 -0700
My personal horse-to-beat has been a variant of Vern's option #3. While passive monitoring is useful in and of itself, I think that security-aware applications need to be able to communicate directly with an IDS and convey information that is best available to the application itself. For example, wouldn't it be neat if there was a standardized, IDS-aware, and reliable way for applications to indicate that "Required authentication failed for resource X, reason Y" "Reason Y" is information that won't necessarily be available to a passive IDS, but can be used by an IDS in determining what action to take in response: extra logging, shunning, whatever. IMHO, niether syslog nor SNMP "cut it" for this purpose. The IDS would not have to be taught how to decipher each new protocol, it would instead understand the standard "Hey, IDS, here's an auth-failed message, take note!" This also serves to distribute the CPU processing required in order to handle a given connection. Properly designed, a "participatory" IDS aleviates a lot of the work that a passive IDS has to do, and simplifies things tremendously. It's Friday, It's late, I haven't fleshed these ideas out too well. Hopefully someone else can/will pick it up and run with it. (or a different someone will chose to pick holes in my relatively random rant.) Regards, -- Steve Vern Paxson wrote:
With the likelihood that more and more hubs are going to disappear and be replaced by switches, where does that leave the humble IDS that can no longer see all the traffic it needs to, to do its job?THe IDS folks have been aware of this pending problem for a while. The basic approaches are (1) use an explicit tap on the switch, (2) build the IDS into the switch (or get the switch to cooperate with the IDS), (3) get the end hosts to chip in and function as IDS sensors. Vern
Current thread:
- Re: future of IDS, (continued)
- Re: future of IDS Gigi Sullivan (Oct 16)
- Re: future of IDS David Lang (Oct 19)
- RE: future of IDS Tupshin Harper (Oct 16)
- Re: future of IDS Adam Shostack (Oct 19)
- Re: future of IDS John Ladwig (Oct 23)
- RE: future of IDS Jonathan Rozes (Oct 19)
- Re: future of IDS Adam Shostack (Oct 19)
- Re: future of IDS Joseph S. D. Yao (Oct 19)
- Re: future of IDS NetSurfer (Oct 19)
- Re: future of IDS cfb (Oct 19)
- Re: future of IDS Vern Paxson (Oct 16)
- Re: future of IDS Stephen P. Gibbons (Oct 19)
- Re: future of IDS Crispin Cowan (Oct 23)
- Re: future of IDS Stephen P. Gibbons (Oct 23)
- Re: future of IDS Stephen P. Gibbons (Oct 19)
- Re: future of IDS Darren Reed (Oct 19)
- Re: future of IDS Doug Hughes (Oct 23)
- Re: future of IDS Darren Reed (Oct 28)
- Re: future of IDS Doug Hughes (Oct 28)
- Re: future of IDS Gigi Sullivan (Oct 16)