[Discussion] What are we making?

• Previous message (by thread): [Discussion] toward what goal?
• Next message (by thread): [Discussion] What are we making?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Question: what are we making?  Oh, yeah, I read the blurb: "The OISF has been 
chartered and funded to build a next-generation intrusion detection and prevention 
engine. This project will consider every new and existing technology, concept and 
idea to build a completely open source licensed engine."

OK, we're making an IDS.  But I think we need to be more specific.  In particular, 
we need to answer the question of "who."

Since the DHS has provided money, I suspect there would be an automatic 
assumption that this is a heavy-duty device intended for use to protect major 
servers and nodes in the critical information infrastructure.  (Whatever that 
means.)  This kind of thing is built by professionals, for professionals.  Trained 
people.

However, given the current computing environment, I think it would be relatively 
easy to make a case that such a device is not going to do all that much good.  That 
a more accessible device, intended for "Grannyx" users, would actually do more to 
protect the infrastructure.  After all, it isn't major nodes on the net that make up 
botnets, it's the little guys.  Protect them, and you reduce the threat.  This is the 
"low hanging fruit" for the blackhats, so protecting that crop is going to give us 
the greatest benefit for the commitment of resources.

This makes a difference.  Not, perhaps, in terms of questions about multithreading 
analysis streams using graphics co-processors.  But certainly in most other areas.

We've talked about extensibility.  If we create a standard template or format for 
signatures, the "who" makes a difference.  Professionals need a warning and a 
packet.  Grannyx users need a warning, no packet, a clear explanation of what and 
how important, and a recommended course of action.  Makes a difference to the 
template.

In terms of my recommendation of a paran-o-meter, it makes a difference.  
Actually, I see huge debates over initial settings: do we keep it low to keep from 
crying wolf, or keep it high to keep people as safe as possible.  But one thing that 
should be done is make the paranoia settings not-quite-obvious up front, so that 
somebody needs to know a little about the implications before they start fiddling 
with settings.

Heck, if it's a professional device, we don't need to worry about the interface at 
all.  If it's for Granny, we definitely do.

It also makes a difference in terms of the technology to be included.  If it is for 
professionals, we can throw in everything.  If for Granny, we need to make a 
careful choice about maximum protection for minimum performance drain.

======================  (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca     slade at victoria.tc.ca     rslade at computercrime.org
        I'm getting so absent-minded that sometimes in the middle of
victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/

• Previous message (by thread): [Discussion] toward what goal?
• Next message (by thread): [Discussion] What are we making?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]