Re: Security, Prevention & Detection

Justin Lister (ruf@osiris.cs.uow.edu.au)
Sat, 6 Aug 1994 06:12:07 +1000 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Peter G. Neumann: "New member"
Previous message: Chris Cole: "Introduce myself..."
Maybe in reply to: Paul Ferguson: "Security, Prevention & Detection"

> Michael S. Hines <mshines@ia.purdue.edu> writes -

> > 
> > I also montior the firewalls list (@greatcircle.com) and view that as a
> > "prevention" method rather than as a detection method.

I was considering join the firewall list, how much traffic on average ?

> > I am more interested in approaches which prevent intrusion, rather than
> > after the fact detection.  But detection is certainly important, as there
          ^^^^^^^^^^^^^^^^^^
The goal of some systems are detection before a full intrusion, or should I
say before it gets to any critical point. This is defineately one of the
most difficult task, and so most systems would appear to have a long way
to go in meeting this goal.

> > are probabily more people than are aware that their system has either been
> > hacked, or is currently under surveilance.

Yes, knowing a system is being monitored tends to scare off the average hacker
/cracker/crasher (whichever you prefer), who would just look for easier turf.
But then there are those who see this as an added challenge (one would expect
that this class of hacker would be the highly sophisticated). While it is 
reported that most intrusive activity is actually internal users, one would
guess that if they knew they were being monitored then they wouldn't try 
anything. However what stops them from trying things gradually, and in alot
of cases the user might have a good idea of what is and what isn't being 
monitored. I would think that in the  long run a system that is being monitored
would see alot less activity than one that isn't (but how do you compare if
you aren't monitoring). B)

Now firewalls maybe a good preventative measure, but it assumes you only
have adversaries on the outside of the domain/subnet etc.

> > I'm looking forward to exhanging ideas with others with similar interests.
> >

> Michael, I'm sure that you'll run into folks on this list that also
> are sub'd to the firewalls@greatcircle.com.

> I have a tendency to agree with you; personally, I view prevention as
> the paramount issue. However, detection is also an issue which is many
> times taken fro granted and simply overlooked.

Yes, the majority of systems dont even produce an audit trail.

> Cheers,

> _______________________________________________________________________________
> Paul Ferguson                         
> US Sprint 
> Managed Network Engineering                        tel: 703.904.2437 
> Herndon, Virginia  USA                        internet: paul@hawk.sprintmrn.com

-- 
+---------------------+--------------------------------------------------+
|  ____       ___     | Justin Lister                 ruf@cs.uow.edu.au  |
| |    \\   /\ __\    |     Center for Computer Security Research        |
| | |) / \_/ / |_     | Dept. Computer Science      voice: 61-42-214-330 |
| |  _ \\   /| _/     | University of Wollongong      fax: 61-42-214-329 |
| |_/ \/ \_/ |_| (tm) |     Computer Security a utopian dream...         |
|                     |  LiNuX - the only justification for using iNTeL  |
+---------------------+--------------------------------------------------+

Next message: Peter G. Neumann: "New member"
Previous message: Chris Cole: "Introduce myself..."
Maybe in reply to: Paul Ferguson: "Security, Prevention & Detection"