How long did it take you to co-write "Network Intrusion Detection 3/e" and what was it like?
For my portion of the 3rd edition, it took about 6 months. But, many of the chapters were based on SANS material I'd previously written and chapters from the 2nd edition. It's a pretty intense experience trying to create material that is useful and coherent without taking yourself too seriously. Luckily, I had Stephen's footsteps to follow from his solo rendition of the 1st edition. His was one of the first technical books I'd read that had a lot of humor that allowed his light-hearted character show through.
In your opinion, what are the most important things an administrator has to do in order to keep a network secure?
I don't think I can offer any startling insight into the standard precautions of using VPN's, stateful packet-filtering or proxy firewalls, IDS, anti-virus, applying patches, etc. Obviously, the administrator(s) have to have management support in supplying strong policies and ample manpower to maintain and watch the network.
Even given these ideal conditions, you sometimes meet the enemy and realize that it is your internal users. I'm not talking about the legendary insider threat; I'm just talking about those users who scoff at policy by trying to circumvent it. I can't tell you how many times we've blocked conventional ports associated with various peer-to-peer software such as Kazaa only to find that users will modify the default ports used. Kazaa, in particular has had some nasty residual offerings such as worms. There isn't much you can do in instances such as this except to use IDS signatures that don't specifically focus on port numbers, but instead examine payload for offending peer-to-peer connections.
What's your take on the full disclosure of vulnerabilities?
If full disclosure includes releasing working source code that exploits the vulnerability, I'm not so sure I support it after what happened to David Litchfield - the release of the recent Sapphire worm that used his code. I think sensible disclosure needs to occur - alerting the vendor/maintainer in advance and giving them an opportunity to address the problem. Unfortunately, aggressive disclosure is sometimes the only motivation to encourage software giants to correct their problems.
Too, you may want to question the motivation and methods behind the disclosure. It sometimes seems that disclosure is not always done for the noblest reason - alerting of vulnerabilities and stimulating fixes. Depending on the visibility and popularity of the software related to the disclosure, there can be a lot of publicity surrounding the individual or company making the disclosure. Ironically, some of these companies sell products or services to aid you in your quest for perfect security.
Based on your experiences, do you find proprietary software or open source software to be more secure?
Truthfully, I don't know statistically which is more secure - you would tend to say that if Microsoft is representative of proprietary software then proprietary software is less secure than the its open source counterparts. But, is Microsoft considered less secure because everyone and his brother is pounding on it or it is more ubiquitous than other software? I don't know the correct answer; I just know that I prefer the open source model.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.