Search This Blog

Saturday, July 26, 2014

firewall-wizards Digest, Vol 70, Issue 8

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: nipper studio experiences? (Gregg Dotoli)


----------------------------------------------------------------------

Message: 1
Date: Thu, 24 Jul 2014 11:45:09 -0400
From: Gregg Dotoli <gldotoli@yahoo.com>
Subject: Re: [fw-wiz] nipper studio experiences?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <13DE7867-08EE-4CD6-AA4A-63302D766B34@yahoo.com>
Content-Type: text/plain; charset="us-ascii"

Marcus,
Is this the definition being discussed? If so, we have a long way to go.

encouraging a person to learn, discover, understand, or solve problems on his or her own, as by experimenting, evaluating possible answers or solutions, or by trial and error: a heuristic teaching method.


Gregg Dotoli

Sent from my iPhone

> On Jul 20, 2014, at 12:00 PM, "Marcus J. Ranum" <mjr@ranum.com> wrote:
>
> Mike Lloyd wrote:
>> Simple rule-checking systems don't need a lot - they work, but they also just aren't all that "smart" about the intention or design of your network, in much the same way that a spell checker can't tell whether a legal contract is "good" or "bad" - it can just tell if it's got typos.
>
> Since you're posting from redsealnetworks.com may I infer that you are
> referring as "smart" to redseal's products? Because, as far as I can tell,
> they are also rule-checking systems. Granted, the rules are much more
> complicated than they might otherwise be, but an expert system is an
> expert system; short of solving the hard AI problem (in which case we
> wouldn't call it an "expert system") they're all the same thing.
>
> An expert system takes a set of facts, applies a rules engine and a
> knowledge-base to them, and offers a set of conclusions.
>
> All of the inputs into the expert system are going to affect the quality
> and usefulness of its conclusions; this is important to understand because
> sometimes the knowledge-base doesn't need much to reach a
> conclusion. For example, if the query you asked is "give me a list of
> SMB servers" the usefulness of the query results is going to depend more
> on the available facts about the network than the difficulty of
> identifying an SMB server - there are degrees of accuracy that can
> be achieved in identifying SMB servers but, since they tend to announce
> themselves, it's more a matter of having the right facts in your data
> than performing complex analysis. If you had a further set of rules in
> your engine that caused it to try to offer conclusions about the purpose
> of the SMB servers, it's not "smart" it's "further rules that give more
> results."
>
> it always drives me a bit battier when someone refers to a hunk of
> software - no matter how cleverly programmed - as "smart" because
> that's one thing that, for now, software isn't. The people who coded
> the rules engine and its knowledge-base are "smart" but the system is
> the antithesis of "smart" in that it lacks the key elements of intelligence,
> namely:
> - creativity
> - curiousity
>
> I'm sure your system has a more exhaustive knowledge-base than
> whatever, and a cleverly programmed rules engine. But you are
> mis-speaking if you characterize one expert system as smarter
> than another.
>
> In a talk I gave in 2005 or so, I characterized all security products
> in terms of fact collection, application of a knowledge-base through
> a rules engine, and controlled output based on the conclusions
> that are offered.
> Firewall: packets in -> rules engine + knowledge about state and policy -> output
> Anti-virus: execution attempt -> rules engine + knowledge about behavior and a blacklist -> execution decision
> Intrusion detection: facts about network and behavior -> rules engine + indicators of compromise -> alert
> etc.
>
> The reason this is a consistent thread through computer security is
> because knowledge-bases offer one very valuable thing: diagnosis.
> An expert system such as RedSeal's value is that the smart people
> who built its rules encoded those rules so as to carry their expertise
> to customers' networks in the abstract. The value of such tools is that
> they can turn a bunch of packets into a conclusion, i.e.:
> "x.x.x.x is an SMB server!"
> If you imagine a hypothetical system that was "smart" and able to
> form new conclusions that had never been seen before - if they
> had never been seen before, it would have to be _creative_ in order
> to generate a human-comprehensible description of its state.
> Suppose you had a rule fire that produced an alert similar to:
> "the ratio of syn/fin packets is 2 standard deviations from normal!"
> that's not as human-comprehensible as "syn flood attack!" but even
> my example is a cheat because it encodes my expert knowledge that
> the ratio of syn/fin packets is interesting. An actual "smart" network
> analysis product, if such a thing existed, would probably say:
> "Daddy, I'm worried about the network."
>
> mjr.
> --
> Marcus J. Ranum, CSO, Tenable Network Security, inc. http://www.tenable.com
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20140724/71e501fb/attachment-0001.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 70, Issue 8
***********************************************

No comments: