Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: nipper studio experiences? (Marcus J. Ranum)
----------------------------------------------------------------------
Message: 1
Date: Sun, 20 Jul 2014 12:00:35 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] nipper studio experiences?
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <53CBE7A3.8060708@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Mike Lloyd wrote:
> Simple rule-checking systems don't need a lot - they work, but they also just aren't all that "smart" about the intention or design of your network, in much the same way that a spell checker can't tell whether a legal contract is "good" or "bad" - it can just tell if it's got typos.
Since you're posting from redsealnetworks.com may I infer that you are
referring as "smart" to redseal's products? Because, as far as I can tell,
they are also rule-checking systems. Granted, the rules are much more
complicated than they might otherwise be, but an expert system is an
expert system; short of solving the hard AI problem (in which case we
wouldn't call it an "expert system") they're all the same thing.
An expert system takes a set of facts, applies a rules engine and a
knowledge-base to them, and offers a set of conclusions.
All of the inputs into the expert system are going to affect the quality
and usefulness of its conclusions; this is important to understand because
sometimes the knowledge-base doesn't need much to reach a
conclusion. For example, if the query you asked is "give me a list of
SMB servers" the usefulness of the query results is going to depend more
on the available facts about the network than the difficulty of
identifying an SMB server - there are degrees of accuracy that can
be achieved in identifying SMB servers but, since they tend to announce
themselves, it's more a matter of having the right facts in your data
than performing complex analysis. If you had a further set of rules in
your engine that caused it to try to offer conclusions about the purpose
of the SMB servers, it's not "smart" it's "further rules that give more
results."
it always drives me a bit battier when someone refers to a hunk of
software - no matter how cleverly programmed - as "smart" because
that's one thing that, for now, software isn't. The people who coded
the rules engine and its knowledge-base are "smart" but the system is
the antithesis of "smart" in that it lacks the key elements of intelligence,
namely:
- creativity
- curiousity
I'm sure your system has a more exhaustive knowledge-base than
whatever, and a cleverly programmed rules engine. But you are
mis-speaking if you characterize one expert system as smarter
than another.
In a talk I gave in 2005 or so, I characterized all security products
in terms of fact collection, application of a knowledge-base through
a rules engine, and controlled output based on the conclusions
that are offered.
Firewall: packets in -> rules engine + knowledge about state and policy
-> output
Anti-virus: execution attempt -> rules engine + knowledge about behavior
and a blacklist -> execution decision
Intrusion detection: facts about network and behavior -> rules engine +
indicators of compromise -> alert
etc.
The reason this is a consistent thread through computer security is
because knowledge-bases offer one very valuable thing: diagnosis.
An expert system such as RedSeal's value is that the smart people
who built its rules encoded those rules so as to carry their expertise
to customers' networks in the abstract. The value of such tools is that
they can turn a bunch of packets into a conclusion, i.e.:
"x.x.x.x is an SMB server!"
If you imagine a hypothetical system that was "smart" and able to
form new conclusions that had never been seen before - if they
had never been seen before, it would have to be _creative_ in order
to generate a human-comprehensible description of its state.
Suppose you had a rule fire that produced an alert similar to:
"the ratio of syn/fin packets is 2 standard deviations from normal!"
that's not as human-comprehensible as "syn flood attack!" but even
my example is a cheat because it encodes my expert knowledge that
the ratio of syn/fin packets is interesting. An actual "smart" network
analysis product, if such a thing existed, would probably say:
"Daddy, I'm worried about the network."
mjr.
--
Marcus J. Ranum, CSO, Tenable Network Security, inc. http://www.tenable.com
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 70, Issue 5
***********************************************
No comments:
Post a Comment