Re: IDS for real...
adamsb@un.org
Wed, 22 Mar 95 13:33:30 EST
> As soon as someone can clearly define "misbehavin" we'll be on the
> fast track to a solution. Shucks, we can't even agree with our walls
...
> Kinda like a filtering router... programming the router ain't easy,
> but it's a lot easier than trying to get the policies written and
> approved!
Starting point for "misbehavin" profile:
1. User attempts to log into someone else's account in a critical system
by guessing the password. Proactive rule - don't let him access
someone else's account. Reactive rule - turn off his access to
the system until the information security folks turn it back on.
2. User on critical system attempts to connect to a site on the Internet.
Proactive rule - block connections from critical systems to the
Internet, like a packet filtering router. Reactive rule - generate a
report of incident which will be automatically mailed to his
supervisor.
3. Users on a given subnet attempt to access a sensitive system on a
different subnet, to which none of those users are supposed to have
access. Proactive rule - block their access to the sensitive system,
like a packet filtering router. Reactive rule - introduce an
additional authentication check which they must pass through to connect
to any system off their own subnet.
4. User has an IP address which is outside the domain of IP addresses in
use by legitimate users. Procactive rule - block access of all such
addresses to everything on the network. Reactive rule - get the kid's
mother on the phone and tell her what her son is up to.
Finally, may I politely inquire "What policy"?
Hog Farmer