August, 2000: Burglar Alarms for Detecting Intrusions
At our August meeting, Marcus Ranum of
Network Flight Recorder
discussed building burglar alarms for detecting network intrusions.
The rationale for these burglar alarms is that, since firewall
technologies do not provide 100 percent protection from hackers,
it is important to have mechanisms in place to detect whether
there has been a successful penetration into your internal
networks and/or hosts, and to gather information on their
activities so that they can be successfully prevented from doing damage.
Marcus made an analogy between network intrusion detection and
home burglar alarms: like network firewalls, perimeter alarms
on doors and windows detect the unsophisticated burglar
that smashes a window and runs off with valuables in the home.
The more sophisticated-- and more dangerous-- intruder manages to
disable perimeter security and gather valuables undetected.
The network burglar alarms that Marcus proposes are analogous
to the pressure pad in front of the stereo or the sensor on
the jewelry box-- their presence is unexpected and they successfully
sound an alarm for an intrusion that would otherwise not have been
The discussion of network intrusion detection techniques lead
the group into discussing the controversy over the various
ways in which information on security flaws should be disseminated,
including: not at all, with a high degree of involvement from the
implicated software vendor, or as a way to pressure vendors
to improve the quality of their software. Marcus used as an example
his early knowledge of an ftp protocol exploit that hackers didn't
discover until years later. By not publicly announcing his
discovery, he feels that he kept one more tool from the hacking
community for a little longer.