[Dshield] DShield vs. Symantec: new features?

Stephane Grobety security at admin.fulgan.com
Thu Jan 8 15:04:55 GMT 2004

EVdV> Talking about new features... I'm writing a central logging
EVdV> system for security applications, which will run in a LAN. This
EVdV> is my master thesis by the way :-)

Good luck... I've written such a system about two years ago... Would
be interesting to compare the features ;)

EVdV> One of the features that would be really handy is the following:
EVdV> Assume a large scale attack is launched (new virus like blaster or slammer), 
EVdV> wouldn't it be great if the local security system could be automatically 
EVdV> warned?

What I've got from my experience with such system is that automatic
data analysis is really difficult. The problem is that the real threat
are usually either the ones you don't log (new threats on an allowed
application that follow the normal usage pattern) or the one that you
log but are burried in "routine noise" (for instance, anyone trying to
penetrate my network throu SMB will have a high chance of being
completely ignored for a long time).

EVdV> I was thinking of the following: a structured file on the
EVdV> DShield server (XML for instance) that normally would be empty
EVdV> (except for the start and end tags of course :-) ), but that
EVdV> would contain a list of ports and little explanations of the
EVdV> hazards on those ports, when a serious threat is discovered (and
EVdV> the infocon is raised to yellow/orange/red). Now, as far as I
EVdV> can see, the sysadmin has to read the page and adapt the
EVdV> firewalls himself, because there is no way to parse such data
EVdV> automatically. (Infocon is a picture, the daily messages about
EVdV> exploits and such are plain text).
EVdV> This way, a LAN would be protected against such severe attacks,
EVdV> even when the sysadmin is sleeping or on a holiday.

Well, that raise several different issues:

- First, someone's threat is someone els'e gackground noise. For
instance, if there is a new exploit that hits, say, sendmail, it
wouldn't be ANY threat to my network since I'm not using that program.
I, as an admin, can make the difference and decide wether or not to
close a port. But I wouldn't trust an automated system.

- Second, there is the problem of trust. As a private user, I could
decide to place the fate of my network in your hands because the
consequences of a false positive are not so serious. but as an admin
of a company that does a LOT of business through the net, i simply
can't take that risk in that way.

- Third, there is the risk of DOS. This one could be mitigated by
using digital signature and SSL, I suppose, but that's still a serious
issue to consider.

EVdV> For now, I try to detect attacks and then start automatically a
EVdV> containment procedure (closing the firewall for certain IP
EVdV> addresses, blocking internal IP's of infected systems, closing
EVdV> ports that are attacked by a large number of IP's, ...) This is
EVdV> quite fun, but it would be much better if the LAN does not have
EVdV> to get 'sick' before the system can do something.

I'm not against this idea at all. In fact, I think it could be really
nice if implemented properly. My objections here are only here to
provide ground on working out a good feature set.

Good luck,
Best regards,
 Stephane                            mailto:security at admin.fulgan.com

More information about the list mailing list