Intrusion Detection

Marcus J. Ranum mjr@nfr.net
Wed, 15 Apr 1998 17:57:40 -0400


Gary Crumrine writes:
>Well thank you Mr. Ranum, another world according to Marcus speech. 

Ok, first off let me publicly apologize for the tone of my mail. :(
Please chalk it up to stress and general lack of sleep, and forgive
me if you can. I definitely came off as too dogmatic. Sorry!

>The bottom line here is that there are a lot of tools out there, that are 
>used by professionals to provide them with information they percieve as 
>being important to them, or their management.

That's the important question I am trying to get people to think
about. First off, I don't agree that most of the people deploying
security tools these days are professionals who have the background
to use them adequately. This, I am painfully aware of, as someone
who runs a company that has built an amazingly powerful tool that
assumes expertise -- when expertise is in short supply...

I built a lot of firewalls, and I've seen a lot of firewalls
installed every which way but backwards. The reason I am going out
on a limb here is to try to get folks to build the right things
into their IDS' early on! Before it's too late! If I could go back
in time, I'd'a built firewalls that had "policy writing wizards"
that you could walk through and which would not only configure
the firewall but give you a hardcopy risk assessment of the policy
you built. Templates, too. We need the same kind of stuff for IDS.
Or they will also be complicated, obscure products that get
installed and ignored and finally unplugged. I'd hope that the
fact that I am saying this in a public forum, effectively giving
advice to potential competitors, will serve as proof of my
earnest or foolishness or both.

> Unfortunately, IDS systems seem to be the hot ticket these days.  Forensic 
>tools are not, and will not be in my opinion until the legal system has had 
>more time to establish legal precidence.  Business owners looking for tools 
>these days are going to ask one very important question.  What value is 
>added with an IDS versus NFR.

You clearly misunderstood my posting to be an attack on competing
products. I guess I completely failed to get my point across.  :(  :(
I suspect it's partly because you may have missed the point of what
we've built at NFR -- it's a general purpose tool you could use
for forensics, or you could build a "network grep" MD-IDS with it.
I'm not saying that my software or any of the other players in the
IDS market are lame -- I'm saying that I don't think that in their
current form they solve a useful problem, but they're so darned
close only a few of us realize it. The same MD-IDS which is useless
outside a firewall is worth its weight in gold back in your data
center watching your mainframe!!

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr