RE: IDS that retaliates.
From: Reidy, Patrick (Patrick.Reidy@veritect.com)Date: 03/07/02
- Previous message: Jackie Chan: "Re: Alarming (was protocol analysis)"
- Maybe in reply to: charles.skoglund@om.com: "IDS that retaliates."
- Next in thread: Kohlenberg, Toby: "RE: IDS that retaliates."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Reidy, Patrick" <Patrick.Reidy@veritect.com> To: "'Marcus J. Ranum'" <mjr@nfr.com>, Mark Crosbie <mcrosbie@cup.hp.com>, "Carr, Aaron [CNTUS]" <CarrA@Centocor.com> Date: Thu, 7 Mar 2002 13:41:56 -0500
Gotta agree here (beside the BSD comment), active retaliation is simply a
poor idea because the false positive problem. We have seen some amusing
self inflicted customer DOS attacks due to this issue. Additionally, some
vendor RST "retaliation" relies on the fact that the monitoring interface
can route packets, thus not in stealth mode. No thanks, I'll keep my
monitoring interface in stealth and make changes to my firewall when I
verify there is a problem.
pr
-----Original Message-----
From: Marcus J. Ranum [mailto:mjr@nfr.com]
Sent: Wednesday, March 06, 2002 7:01 PM
To: Mark Crosbie; Carr, Aaron [CNTUS]
Cc: 'charles.skoglund@om.com'; security-basics@securityfocus.com;
focus-ids@securityfocus.com
Subject: RE: IDS that retaliates.
Mark Crosbie wrote:
>What good does retaliation really get you though (apart from a whole
>load of legal headache)? Wouldn't "recovery" be a better goal to aim
>for?
We've often gotten requests for "firewall reconfiguration" or other types
of "reaction" - what's interesting to me is that all these requests:
- reaction
- retaliation
- repair
will be limited by the degree of certainty the IDS is able to achieve. If
you've got a 100% accurate diagnosis of the attack and its source then
you _might_ be able to take some steps. If it's not 100% accurate then
things start to go rapidly downhill. :) I think that in the next 4 or 5
years
we'll see IDS getting close to being able to do such things but before we
get there, you'll see:
- IDS correlation of significance: mapping events against types of
attacks against types of targets and re-prioritizing their
significance.
- IDS indication of confidence level: IDS will start to associate a
confidence value with an alert instead of just a severity. This is
an
"oh, DUH!" that a lot of us security guys have had recently: the
severity of the problem is _not_ the same as the IDS' confidence
of its diagnosis.
- Establishment of mapping between significance (operationally set)
of targets versus reactions.
Heck, I'd like my system not to retaliate or reconfigure but to fix itself.
:)
ALERT: SYSALERT, Severity=10, Confidence=10 - your system was
vulnerable to attacks that are being launched against it. OpenBSD
has automatically been installed replacing the copy of Linux that was
on it...
:)
mjr.
- Previous message: Jackie Chan: "Re: Alarming (was protocol analysis)"
- Maybe in reply to: charles.skoglund@om.com: "IDS that retaliates."
- Next in thread: Kohlenberg, Toby: "RE: IDS that retaliates."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
