Even given these ideal conditions, you sometimes meet the enemy and realize that it is your internal users. I'm not talking about the legendary insider threat; I'm just talking about those users who scoff at policy by trying to circumvent it. I can't tell you how many times we've blocked conventional ports associated with various peer-to-peer software such as Kazaa only to find that users will modify the default ports used. Kazaa, in particular has had some nasty residual offerings such as worms. There isn't much you can do in instances such as this except to use IDS signatures that don't specifically focus on port numbers, but instead examine payload for offending peer-to-peer connections.

What's your take on the full disclosure of vulnerabilities?

If full disclosure includes releasing working source code that exploits the vulnerability, I'm not so sure I support it after what happened to David Litchfield - the release of the recent Sapphire worm that used his code. I think sensible disclosure needs to occur - alerting the vendor/maintainer in advance and giving them an opportunity to address the problem. Unfortunately, aggressive disclosure is sometimes the only motivation to encourage software giants to correct their problems.

Too, you may want to question the motivation and methods behind the disclosure. It sometimes seems that disclosure is not always done for the noblest reason - alerting of vulnerabilities and stimulating fixes. Depending on the visibility and popularity of the software related to the disclosure, there can be a lot of publicity surrounding the individual or company making the disclosure. Ironically, some of these companies sell products or services to aid you in your quest for perfect security.


Based on your experiences, do you find proprietary software or open source software to be more secure?

Truthfully, I don't know statistically which is more secure - you would tend to say that if Microsoft is representative of proprietary software then proprietary software is less secure than the its open source counterparts. But, is Microsoft considered less secure because everyone and his brother is pounding on it or it is more ubiquitous than other software? I don't know the correct answer; I just know that I prefer the open source model.

My closest reference to the controversy is Snort, the open source IDS. Snort is in a unique position because it is a collective open source effort that has probably literally hundreds, if not thousands of eyes scrutinizing the code and improving it. I realize that not all open source garners as much attention or interest as Snort, but because of the group development model and intelligent direction provided by Marty Roesch, you have an excellent source code offering. This makes it hard for the proprietary offerings to compete with Snort because of the ready pool of free talent and resources available.

What advice would you give to people starting to learn about intrusion detection?