\n"; ?>

Virtual Burglar Alarm - Thomas Biege about ID Systems

Jana Jaeger

How can sensitive data such as important business data or research data be protected from unauthorized viewers, and how can an uninvited "guest" be caught? Who attempted to sneak into my network, and when? Computer networks, too, can be equipped with alarm systems called Intrusion Detection Systems, abbreviated as IDS. In two consecutive articles, Thomas Biege, member of the SuSE security team, will explain how such a system is structured, which methods can be used to track down "network burglars" and how and when it makes sense to make use of an IDS.

First, he commented on some general questions on the topics of network security and Intrusion Detection Systems.

Web Portal : What made you embark on the security issue? What do find attractive about it?

Thomas Biege : In general or specifically at SuSE? In general: I read the book "The Cuckoo's Egg" by Clifford Stoll, after which I was all enthusiastic about Unix, Internet, C programming, and security, of course. Later on I acquired know-how from books and the trial & error method.

Specifically: I published a few security leaks in Linux (SuSE, to be precise) software on Bugtraq or simply sent them to SuSE. Some time later I received an e-mail from Burchard (editorial note: Burchard Steinbild is one of the four founders of SuSE GmbH). :-)

What I like about it? Well ... I find it quite interesting, plus you learn a lot of details about Unix/Linux or software in general. The topic IT security encompasses such a wide range of know-how areas that you never get bored. Additionally, you are forced to keep pace.

Web Portal : Well, lets talk about network security - just a few sentences ... Will you ever be able to say that your network is secure?

Thomas Biege : Let me just repeat some widely used phrases ;-) You will NEVER get aone hundred per cent secure network. Maintaining a secure network is also very much a question of the benefit you gain by acquiring certain security measures and the damage you would suffer by a successful intrusion. The costs of a successful intrusion into your network should always be higher than the benefit an attacker would gain by intruding your system.

Always try to lock all known security holes in your system and keep track of what is happening on security mailinglists like suse-security@suse.com and suse-security-announce@suse.com. Using a packet filter will also make an important contribution to your security concept and won't be that much of a problem ;-). Even at home you can install some sort of personal firewall (like the one in SuSE Linux 7.2) which offers a reasonable degree of protection.

Of course, companies have the financial means in order to acquire the know-how and material necessary to protect their networks, and depending on their capacity, they should spend money for this purpose. Not everyone is forced to spend half a million German Marks or more on a multiple-stage HA security system with 24h/7d monitoring. As I said, it's always a matter of estimating the cost/benefit ratio.

Web Portal : Security tends to be relative - so does paranoia :-) Can a clear line be drawn between them? Or is there no way to distinguish where the first one ends and the latter begins?

Thomas Biege : Hm. I think paranoia isn't appropriate in a professional environment. As mentioned above, security is always a question of balancing the costs and risks ;-)

Web Portal : From your point of view: Who needs an IDS? Where does it make sense?

Thomas Biege : An IDS makes sense for anyone who knows quite well about its strong and its weak points and who is able to judge its alarm messages.

The average user at home won't benefit that much from an IDS, since it is pretty complex and might confuse rather then help him.

Web Portal : What degree of knowledge should the average user (running Linux on the desktop at home) have on IDS?

Thomas Biege : Normal users won't need an IDS to secure their networks at home. Those who are interested in IDS should turn to Snort or any other free IDS tool.

Web Portal : Building and maintaining an IDS looks like a very troublesome task requiring quite a considerable amount of knowledge on both networking and security ... What about everyday life: Is a system administrator forced to bury himself in the very details of IDS?

Thomas Biege : No, of course that's not necessary. Just take the analysis units of ID systems - they are based on constructs of Artificial Intelligence. You wouldn't seriously expect a system administrator - who is usually more than busy even without bothering about Artificial Intelligence - to mind all the internal details of Neuronal Networks or Expert Systems.

Those manufacturing ID systems should supply the end user with some auxiliary tools to facilitate the everyday maintenance of the system without asking for too much in-depth knowledge of the internals. However, IDS administrators should be able to interpret and judge the results of an IDS analysis. A comprehensive online help feature should be integrated by the IDS manufacturer. Commercial ID systems usually ship with a graphical user interface and sufficient documentation to facilitate the use of the system.

Web Portal : Thank you for the interview.

Thomas Biege has been working in the SuSE security team for the past two years. He studies general computer sciences at the technical college Dortmund. Presently he is busy with the development of a host-based intrusion detection system, which he will present in his diploma thesis.

\n"; ?>