focus-ids October 2008 archive
Main Archive Page > Month Archives  > focus-ids archives
focus-ids: Re: IDS vs Application Proxy Firewal

Re: IDS vs Application Proxy Firewal

From: Arian J. Evans <arian.evans_at_nospam>
Date: Tue Oct 28 2008 - 22:44:52 GMT
To: "Omar Herrera" <oherrera@prodigy.net.mx>, focus-ids@securityfocus.com


To Stephano's response, I would like to add that I think I completely mis-used the terms blacklist vs. whitelist when discussing anomaly detection (and I mix anomaly and mis-use case).

I have not kept up with IDS and clearly need to go read more recent work to bring myself up to speed with the terms and concepts.

So when you read my post asserting anomaly detection validity, understand I am lumping in mis-use case and ignore my attempts to align it with black & white verbiage.

As Ptacek would say: "I'm so 1999".

-ae

On Mon, Oct 27, 2008 at 8:21 PM, Omar Herrera <oherrera@prodigy.net.mx> wrote:
> Hi Arian,
>
> Arian J. Evans escribió:
>> Omar -- you have a very nice, well-thought-out,
>> post below. Yet, philosophically, I could not
>> agree with you less.
>>
>> BAD (behavioral anomaly detection) can be approached
>> as either a blacklist or a whitelist. Though, to be fair,
>> the cases for whitelisting in BAD fashion are fewer,
>> and since in BAD you are talking statistical inference
>> or deduction, there is a fuzzy, slippery slope between
>> "black" and "white" listing.
>>
> True, my examples were only assuming bad detection, but white listing
> through automatic software has its flaws. You are not guaranteed to get
> a complete white list with an automatic tool because it can only take
> into account what it sees and what it measures. So this activity is time
> dependent and unless you try to guess if good or bad, you will end up
> reacting anyway. White lists should have human intervention to include
> as much context information to be effective, in my opinion.
-- -- Arian J. Evans. Software. Security. Stuff. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------