IDS mailing list archives
RE: How to choose an IDS/FW MSS provider
From: "Stuart Staniford" <stuart () nevisnetworks com>
Date: Mon, 14 Mar 2005 21:05:19 -0800
Richard Bejtlich wrote:
I understand that market pressures and misguided research organizations are forcing access control and audit functions to converge. This is a shame. I wrote an article called "Considering Convergence?" that recommends keeping access control and audit separate. [0]
and
Ross Anderson's exceptional book 'Security Engineering' recommends avoiding "convergence" when he talks about bookkeeping and fraud: "With functional separation of duties, two or more different staff members act on a transaction at different points in its path. The classic example is corporate purchasing. A manager makes a purchase decision and tells the purchasing department; a clerk there writes a purchase order; the store clerk records the arrival of goods; and invoice arrives at accounts; the accounts clerk correlates it with the purchase order and the store receipt, and cuts a check; the accounts manager signs the check.
It seems to me the separation of duties argument more strongly supports having multiple layers from different vendors than it does having access control and audit functions separate. Customers increasingly want to do access control at L5-L7 (traditionally IDS territory), which is inherently more vulnerability prone than only doing access control at L2-L4 (traditional switch ACL and firewall territory). Customers want to do this because L2-L4 access control may be too crude (I want my employees outbound access to the web, but I don't want them surfing porn, or I want customers coming to my web site, but not running attacks against it). So vendors rush to support what customers want. Once one is doing all that parsing and checking in the application layers one might as well incorporate the L5-L7 audit logging (it's not that much more work in the product). Having two layers from the same vendor with the same codebase, one layer doing the access control and one the audit would add very little security. Having two layers from different vendors, both doing access control and audit, adds significant security (and significant management overhead). I've seen very security conscious organizations that can afford it doing the latter (two different firewalls in series at the perimeter, or internal NIPS for segmentation, with different vendor HIPS as well for backup at least on key assets). Stuart. Stuart Staniford, Principal Scientist Nevis Networks stuart () nevisnetworks com 408-327-4652 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: How to choose an IDS/FW MSS provider, (continued)
- RE: How to choose an IDS/FW MSS provider KoƧ.net (Mar 09)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- RE: How to choose an IDS/FW MSS provider Brady, Rick (Mar 10)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 11)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- RE: How to choose an IDS/FW MSS provider KoƧ.net (Mar 09)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Adam Powers (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Jason (Mar 19)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 19)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 23)
- Re: How to choose an IDS/FW MSS provider Ron Gula (Mar 24)
- RE: How to choose an IDS/FW MSS provider Chris Harrington (Mar 16)
- RE: Has ISS a SOC in Europe? Gregory Bell (Mar 14)