Wednesday, October 13, 2004

Article in Nov 04 Dr. Dobb's Journal

The November 2004 issue of Dr. Dobb's Journal features an Addison-Wesley-sponsored article I wrote titled Considering Convergence? (.pdf). I wrote it as an elaboration of thoughts I posted to focus-ids two months ago:

"I argue against 'convergence' between products doing 'detection' and those doing 'protection.' Too many people focus on detecting attacks when really they should be detecting failures in protection caused by poor access control, exposure of vulnerable targets, and misconfiguration.

This means the IDS remains a network audit device doing detection, and all products which filter, scrub, manipulate, or otherwise stop traffic be accepted as access control devices (aka 'firewalls') doing protection.

You can't have the same device do both functions. It's like a guard without a security camera thinking he's doing a good job when an intruder's already slipped behind him.

If any convergence should take place, it should occur within the detection market (signature/anomaly/flow/etc. network/host-based IDS) and separately within the protection market (XML/spam/SQL/etc. IPS/firewalls)."

No comments: