What could have been done differently?

• Previous message (by thread): What could have been done differently?
• Next message (by thread): What could have been done differently?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sean,

Ultimately, all mass-distributed software is vulnerable to software 
bugs.  Much as we all like to bash Microsoft, the same problem can and 
has occurred through buffer overruns.

One thing that companies can do to mitigate a failure is to detect it 
faster, and stop the source.  Since you don't know what the failure will 
look like, the best you can do is determine what is ``nominal'' through 
profiling, and use IDSes to report to NOCs for considered action.

There are two reasons companies don't want to do this:

1.  It's hard (and expensive).  Profiling nominal means installing IDSes 
everywhere in one's environment at a time when you think things are 
actually working and making assumptions that *other* behavior is to be 
reported.  Worse, network behavior is often cyclical, and you need to 
know how that cycle will impact what is nominal.  Indeed you can have a 
daily, weekly, monthly, quarterly, and annual cycle.  Add to this 
ongoing software deployment and you have something of a moving target.

2.  It doesn't solve all attacks.  Only attacks that break the profile 
will be captured.  Those are going to be those that use new or unusual 
ports, existing "bad" signatures, or excessive bandwidth.

On the other hand, in *some* environments, IDS and an active NOC may 
improve predictability by reducing time needed to diagnose the problem. 
  Who knows?  Perhaps some people did benefit through these methods. 
I'm very curious in netmatrix's view of the whole matter, as compared to 
comparable events.  NANOG presentation, Peter?

Eliot

• Previous message (by thread): What could have been done differently?
• Next message (by thread): What could have been done differently?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]