Virtual Burglar Alarm - Thomas Biege about ID Systems
How can sensitive data such as important business data or
research data be protected from unauthorized viewers, and how can
an uninvited "guest" be caught? Who attempted to sneak
into my network, and when? Computer networks, too, can be equipped
with alarm systems called Intrusion Detection Systems, abbreviated
as IDS. In two consecutive articles, Thomas Biege, member of the SuSE
security team, will explain how such a system is structured, which
methods can be used to track down "network burglars" and how
and when it makes sense to make use of an IDS.
commented on some general questions on the topics of network security
and Intrusion Detection Systems.
- Web Portal : What made you embark on the security issue?
What do find attractive about it?
Thomas Biege : In general or specifically at SuSE?
In general: I read the book "The Cuckoo's Egg" by Clifford
Stoll, after which I was all enthusiastic about Unix, Internet,
C programming, and security, of course. Later on I acquired
know-how from books and the trial & error method.
Specifically: I published a few security leaks in Linux (SuSE, to
be precise) software on Bugtraq or simply sent them to SuSE. Some time
later I received an e-mail from Burchard (editorial note: Burchard
Steinbild is one of the four founders of SuSE GmbH). :-)
What I like about it? Well ... I find it quite interesting, plus you
learn a lot of details about Unix/Linux or software in general. The
topic IT security encompasses such a wide range of know-how areas that
you never get bored. Additionally, you are forced to keep
- Web Portal : Well, lets talk about network security - just
a few sentences ... Will you ever be able to say that your network is
Thomas Biege : Let me just repeat some widely used
phrases ;-) You will NEVER get aone hundred per cent secure
network. Maintaining a secure network is also very much a question of
the benefit you gain by acquiring certain security measures and the
damage you would suffer by a successful intrusion. The costs of a
successful intrusion into your network should always be higher than
the benefit an attacker would gain by intruding your system.
Always try to lock all known security holes in
your system and keep track of what is happening on security
mailinglists like [email protected] and
[email protected] Using a packet filter will also make
an important contribution to your security concept and won't be that
much of a problem ;-). Even at home you can install some sort of
personal firewall (like the one in SuSE Linux 7.2) which offers a
reasonable degree of protection.
Of course, companies have the financial means in order to acquire the
know-how and material necessary to protect their networks, and
depending on their capacity, they should spend money for this purpose.
Not everyone is forced to spend half a million German Marks or more
on a multiple-stage HA security system with 24h/7d
monitoring. As I said, it's always a matter of estimating
the cost/benefit ratio.
- Web Portal : Security tends to be relative - so does
paranoia :-) Can a clear line be drawn between them? Or is
there no way to distinguish where the first one ends and the latter
Thomas Biege : Hm. I think paranoia isn't appropriate in a
professional environment. As mentioned above, security is always a
question of balancing the costs and risks ;-)
- Web Portal : From your point of view: Who needs an IDS?
Where does it make sense?
Thomas Biege : An IDS makes sense for anyone who knows quite
well about its strong and its weak points and who is able to judge its
The average user at home won't benefit that
much from an IDS, since it is pretty complex and might confuse rather
then help him.
- Web Portal : What degree of knowledge should the average
user (running Linux on the desktop at home) have on IDS?
Thomas Biege : Normal users won't need an IDS to secure their
networks at home. Those who are interested in IDS should turn to Snort
or any other free IDS tool.
- Web Portal : Building and maintaining an IDS looks like a
very troublesome task requiring quite a considerable amount of
knowledge on both networking and security ... What about everyday
life: Is a system administrator forced to bury himself in the very
details of IDS?
Thomas Biege : No, of course that's not necessary. Just take
the analysis units of ID systems - they are based on constructs of
Artificial Intelligence. You wouldn't seriously expect a system
administrator - who is usually more than busy even without bothering
about Artificial Intelligence - to mind all the internal details of
Neuronal Networks or Expert Systems.
Those manufacturing ID systems should supply
the end user with some auxiliary tools to facilitate the everyday
maintenance of the system without asking for too much in-depth
knowledge of the internals. However, IDS administrators should be
able to interpret and judge the results of an IDS analysis. A
comprehensive online help feature should be integrated by the IDS
manufacturer. Commercial ID systems usually ship with a graphical user
interface and sufficient documentation to facilitate the use of the
Web Portal : Thank you for the interview.
Thomas Biege has been working in the SuSE security team for the past two years. He studies general computer sciences at the technical college Dortmund. Presently he is busy with the development of a host-based intrusion detection system, which he will present in his diploma thesis.