[Discussion] Features - egress

John Ives jives at security.berkeley.edu
Fri Oct 17 19:25:15 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:
> Date sent:      	Thu, 16 Oct 2008 21:00:32 -0400
> From:           	Matt Jonkman <jonkman at jonkmans.com>
> 
>> Here's the big thread. And don't be afraid to start sub-threads for
>> specifics here.
> 
> OK  :-)
> 
>> OK, those are my initial wish list items. Who has more? What else should
>> we do? 
> 
> Allow me to throw in a strong push for including egress scanning and analysis.  We 
> tend to get fixated on the traditional bastion position, with the bad guys all on the 
> outside and everything inside is pure.  In the current malware-rich environment 
> that is untenable.  We also can gain a lot more granular information (in addition 
> to the defence-in-depth backstop) from egress scanning, since we have a much 
> batter idea of what *should* be leaving our nets.

Speak for yourself :)

My long standing and still somewhat accurate joke is that we try to
protect our students from the Internet less than we try to protect the
Internet from our students.

Actually thanks to better policies and education, we are now more
balanced in our detection aims than ever before, but I still spend a lot
of my time looking at the outbound stuff as well.

Having said that, you are correct, in that, out of the box, most IDS/IPS
tools have a mentality that the bad stuff is coming from outside the
border and that just isn't always true.  Additionally, in most
environments, the outbound traffic should be easier to diagnose and
classify than the inbound (of course this isn't necessarily true in
environments that lack strong central control - like academic institutions).

Yours,

John

- --
- -------------------------------------------------------------------------
John Ives                                           Phone (510) 642-7773
System & Network Security			     Cell (510) 229-8676
University of California, Berkeley
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJI+OabAAoJEJkidK6qbywsKhcIAJw8WbViCU0THP2wnw+r2vN8
spWUEibBujFWtS+rCHVnv1hMKieQEL+NwOEz6pxAvO/O+uJvIu3Ll7UFcnNsR5Kj
O8OcHOmlFE7waSEmSn3UYmHCas6tMSz6+7Av3rMGg3z1Pj+vG0MJE9h1MyBVY0mR
192YsNt2cESdhN3JU2c7YoiqbbRCFYMplSpZN5+4WkuO8qcOJVxLGg0li4e5a0EG
k8IGGA2wgpc9Yy+SxTVSe8NTC+nlPcEz7p5Yg7YYiOsvupyCiF5wkGC1cU0i2CXx
V2cTEGu4bG7eYfudD81guiLAvtC3iXVPOvPKVUHPkHUZcbl1GYtP3tmy2GbGh58=
=ES6o
-----END PGP SIGNATURE-----



More information about the Discussion mailing list