Last week I sent an e-mail to one of the mailing lists that I am on about IPS and IDS systems. The difference is clear, IPS can prevent events that IDS detects. Those systems are in use for long time now. If I may add - unsuccessfully since after you have those systems installed you are not more secure.
You can get information about some threats - but what is is good for ? Probably for some cases where you can get the info about an attacker. Actually you can get more information but it still does not make you or your site more secure.
The problem is that they are not reliable. It is not due to programmer fault. It is the way those system works and the way of thinking! Up until now, the security personnel usually come from networking back ground. Since most of security threats come through the net, it is reasonably to ask the net people to take care of it.
There are (2) problems that I find in this concept:
- Network is only the medium and not the problem and if one agree to this statement, the medium can help to solve the problem but the problem should be found in an other place.
- No reasonable solution can be found without understanding the application protocol. Since a crook does not look like one, and if he does, it would have been easy to detect them. This exactly the same here. The information that goes from one point to an other looks legitimate. There are just a few cases (usually they are already exist in various formats for FW) where one can define an exact format of an intrusion packet.
IPS/IDS and grids
Since the grid is based on external users that use local resources, access from the net is natural. But - Is there a way identify intrusion process ?
Well - I think the answer is YES. It should be "Application based IPS/IDS". We are familiar with application firewalls which can (partially) analyze application data and block abnormal behaviour.
For grids we will need a firewall that can check grid abnormalities. It will probably monitor the following components:
- Compute Element - to check that the jobs submitted are valid. We may soon find out that a wrapper is needed protect the system.
- WMS (or RB) - the components that are looking for best matching sites for a job to run in and submit it to that site. There are additional functionality like "rewriting" jdl (which is the general job description language to the local batch queue system). In those cases it can start with a wrapper that can check that no harm will be caused.
Now it is time to design such system....
Monday, March 5, 2007
Subscribe to:
Posts (Atom)