[Tfug] Lightweight IDS options/strategy/policy

Kramer Lee krameremark1 at gmail.com
Tue Sep 24 23:27:38 MST 2013


"Think about it.  Would you tolerate something on your
"personal" internet if it *couldn't* "dial out" -- but
*could* interfere with the operation or integrity of
your stuff?"

That sounds like a virus/malware.  Is that part of intrusion detection?

So, we can be intruded into directly, an event we might be able to see
if an intrusion detection system worked and it wasn't a zero day
exploit.  If the hackers get past the IDS you are in trouble.  That
would be a bad event, especially if the critical internal computers
with the valuable information are connected directly to the internet
(not the best idea).  But even if that happens, and it isn't good, it
would be made much worse of the intrusion program can dial back out,
so you now suffer even more competitive loss from IP being taken, or
also financial information, internal passwords, etc.  At least if the
data can be kept inside the firewall, that part of the disaster can be
mitigated. Many hackers are hacking for profit, less are hacking to
damage.

Anyway, more emphasis should be put on keeping the valuable
information from getting out.  The intrusion detection stuff is great,
but not sufficient.

On 9/24/13, vaca at grazeland.com <vaca at grazeland.com> wrote:
> Tuning of an IDS can be very time consuming for some of the reasons
> mentioned here.  When is it innocent?  When is it a virus or a hacker?  That
> doesn't mean, however, that in a secure environment you just omit it.
>
> IDS is a basic building block for secure networks.  It is part of any
> comprehensive defense-in-depth strategy...as would be a documented and
> rehearsed security incident response plan.
>
> Tyler
>
> On Sep 24, 2013, at 10:12 PM, Bexley Hall <bexley401 at yahoo.com> wrote:
>
>> Hi Kramer,
>>
>> On 9/24/2013 3:08 PM, Kramer Lee wrote:
>>> The best thing would be to be able to keep packets of your information
>>> from going out of the computer.  So what if there is an intrusion? it
>>> only is a problem if there is an outflow of information as a result of
>>> the intrusion.
>>
>> Think about it.  Would you tolerate something on your
>> "personal" internet if it *couldn't* "dial out" -- but
>> *could* interfere with the operation or integrity of
>> your stuff?
>>
>> I can contain attacks so they can't "do" anything (even
>> for an adversary "on the inside" -- though I can't prevent
>> certain types of DoS attacks ).
>>
>> But, how do I tell the user (internet owner/administrator) that
>> something is (possibly) *trying* to "harm" (?) him -- even if
>> I've neutralized the threat?
>>
>> And, what do I tell him to *do* in that event?  "Worry"?  :<
>>
>>
>> _______________________________________________
>> Tucson Free Unix Group - tfug at tfug.org
>> Subscription Options:
>> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>




More information about the tfug mailing list