From owner-freebsd-security Sun Sep 19 18:56:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 0461615C78 for ; Sun, 19 Sep 1999 18:56:16 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id TAA06931; Sun, 19 Sep 1999 19:51:06 -0600 (MDT) Message-Id: <4.2.0.58.19990919193342.045d15d0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sun, 19 Sep 1999 19:50:52 -0600 To: cstone@pobox.com From: Brett Glass Subject: Re: Real-time alarms Cc: freebsd-security@freebsd.org In-Reply-To: <19990919191521.A2048@pobox.com> References: <4.2.0.58.19990919175752.04577a20@localhost> <4.2.0.58.19990918201409.047f9f00@localhost> <199909180612.AAA00597@harmony.village.org> <4.2.0.58.19990918093306.047917c0@localhost> <37E4449B.ADDD68EE@softweyr.com> <4.2.0.58.19990918201409.047f9f00@localhost> <199909191933.NAA25843@mt.sri.com> <4.2.0.58.19990919175752.04577a20@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:15 PM 9/19/99 -0600, cstone@pobox.com wrote: >I agree that report generation by mail would be a useful facility, but I >think that there should be a standard entity dedicated to receiving >alert/activity data and (if necessary) acting on that data. There are >several other notification mechanisms which could be useful as well, but >they are all relatively easily implemented. Good point. It should be easy to "plug" different notification systems into the detection system. >It is important that >notification be as flexible as possible. The real issues, at this >point, are the choices behind the code which is gathering activity data >and the criteria which define an alert. Agreed. And these, too, should be flexible and probably rule-based. The key thing, again, is that security be multi-layered. Originally, UNIX had a single point of failure: gain root, and the game is over. But if there are more layers, it's safer. Look at how we secure banks in the real world. Most likely, there's not only an alarm on the bank's doors but also more alarms -- perhaps motion detectors -- that will be set off as one approaches the vault. The door of the vault is locked and alarmed, and there are lockboxes inside the vault, too. And there are security cameras all over. When an intruder sets off one of the alarms outside the vault, there's still time to stop him before he gets inside. If he manages to breach the vault, there are more alarms to alert the police before he's able to get into the lockboxes and get away with the contents. Finally, as a last resort, one can at least find out who broke in by looking at the images from the security cameras. UNIX, at the beginning, had nothing but a lock on the front door of the bank. Orange Book Class C security adds lots of security cameras, limits the number of doors, and makes the doors a bit stronger. We now need to work on the rest. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message