Vin McLellan <me> wrote
> [...] the NFR (Network Flight Recorder) "Appliance" is one of the top two or
>three state-of-the-art, network-based, Intrusion Detection Systems. (See:
><www.nfr.net>)
Mark <[EMAIL PROTECTED]> responded:
>I beg to differ, the ID Appliance itself is not state of the art at all. A
>lot of companies have used this approach for many many years before NFR
>came into existence. NFR was the first to actually implement an IDS
>system on an appliance like device.
"state of the art" = "way ahead of everyone else"
A long time ago, I wrote IBM's internal history of the first 20
years of the computer industry. I assure you the idea of a special purpose,
limited function, dedicated, digital machine (with application-only access
restricted to a wired local console;-) was not unknown in the era of vacumn
tubes and clunky circuits.
OTOH, there is, I suspect, a growing appreciation of the technical
difficulty -- and unscalable management issues -- involved trying to host
IDAs upon a stripped-down "hardened" version of any standard OS.
With the intractable problems of securing multi-function,
multi-user, machines (and the stead drop in the cost of microprocessors), I
think that many network security apps will, in the future, eventually rely
upon dedicated-chips: limited-function, specialized, "appliances."
NFR's unique architecture is closer to that than any other IDS. I
think NFR's embedded OS approach has considerably raised the bar on both IDS
security and ease of use, while pushing the envelope on packet capture
performance.
NFR's once-BSD kernal has been greatly modified to specialize. This
binds the IDA's dedicated functionality closer to the circuit-level and
excludes everything but the minimum required for the IDA its specialized
task well. In turn, this unique architecture both makes the IDA vastly more
secure from external interference and attack, and also gives us the
increased efficiency that specialization always permits.
From my point of view, that NFR designed the IDA to run directly
from a read-only CD is icing on the cake.
(The archives of this Lists hold dozens of posts from Marcus Ranum
-- from 5 or 6 years ago; back when he was only a FW guru; long before he
founded NFR -- in which he grumped, growled, and snarled about OS
vulnerabilities... and promised to someday get around to building a really
minimal, dedicated function, mini-OS to safely and efficiently support
security functions. It's not often you can trace the roots of a product
design so clearly, all the way back to complaints from the trenches;) Any
of the Old Timers on this List could have told you years ago what Ranum
wanted in the NFR design -- long before he had a company, much less the NFR
products.)
When I called NFR's IDA "state of the art," I wasn't really
thinking of the appliance aspect of the design -- although I think I could
justify the label in that context too.
I was actually thinking of the NFR IDA's pre-tuned capabilities to
efficiently scoop all the packet-level data off a TCP/IP circuit and -- as
necessary -- reassemble the packets to assess and identify attacks or
attempted attacks, even if they are transmitted in fragments or out of
order. This is, I suggest, an important (and apparently rare) capability
among IDS.
Of course, the NFR's capabilities in handling the flow of packets
is directly related to the efficiencies NFR obtained by customizing the OS.
[Each OS implements network services in different way, while
complying with the governing RFCs. (BSD networking vs Streams vs NDIS vs
...) Some OSes do a better job with particular network operations.
[For an IDA to deal with a continuous, high-volume, stream of
packets on a network, it has to operate on "all traffic on the wire" at a
higher level, and to do that efficiently requires multiple kernal adaptions
to get maximum packet processing. A general purpose OS -- invariably
designed for time-sharing applications -- has different priorities, a
different balance of functional strengths, inherent in its architecture.]
IDS sensors are much like defensive radar: the first target for any
sophisticated attacker. I do think NFR's relative security -- a custom
embedded OS, running off a read-only CD -- is striking. It's hard to get
more secure against remote attacks than immutable media;-)
Again, the whole IDA runs from the CD -- with no separate OS support
on its host PC. When the machine is turned on, it boots from CD-ROM
directly into a running NFR system. The user cannot interact with the
operating system directly, only with NFR.
I don't want to make this a product pitch, so (unless someone has
specific questions), let me just offer a quick list of the reasons why I
think I was justified in calling the NFR IDA "state of the art."
(Parenthetical info added for tech weenies;-)
1. NFR uses a very-minimal, much-customized, embedded OS -- BSD
"extensive enhancements" for security and performance. (Ain't Unix no more,
folks!)
2. Boots from read-only CD-ROM.
3. *Very* few Unix utilities exist of the CD. What is included is
_only_ what is needed for the IDA's overtly-dedicated functions. (There is
not even a "/bin/sh" or "/bin/csh" on the system.)
4. An NFR IDA has no concept of "users" or "groups". It also doesn't
support access functions such as logging in -- except through the NFR GUI.
(There is no "root" user!)
5. The various security issues associated with file access are simply
not relevant to NFR's IDA architecture.
6. Only the NFR encrypted communication channel is available
externally. (No inetd facility at all.)
[Thank you all, btw, for all the e-mail notes I received after my
earlier response to Yvette Hirth's query. I'm a little overwhelmed by the
reaction. This forum has always had a lot of grizzled veterans willing to
discuss both the petty details and the big picture with newcomers to the
Craft. I'm delighted to continue the tradition. I trust others, in their
turn, will do the same. Some of us just like to talk and write;-]
From the WAP Conference in Rome, the Eternal City,
Suerte,
_Vin
--------
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which
by its nature will resist efforts to restrict it to bureaucrats and others
who deem only themselves worthy of such Privilege."
_A Thinking Man's Creed for Crypto _vbm
* Vin McLellan + The Privacy Guild + <[EMAIL PROTECTED]> *
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
