Being proactive is the single most important thing for security administrators. It is good to subscribe some security alert mailing lists to keep yourself up-to-date on new security issues. Keep the network holes plugged in all times, which is a continuous job. Intrusion detection is one way of proactive approach where you keep an eye on what hackers are trying to exploit. Based upon IDS data you can work on problems before they grow in magnitude. That is why use of Snort and other tools is very important and spending resources on IDS is justified. And beware of internal users! I repeat, beware of internal users.

Based on your experiences, do you find proprietary software or open source software to be more secure?

Debate of using open source and proprietary software for security related applications is not about which software is more secure; it is about support and responsibility in case of any security breach. Most of the business, who prefer to use proprietary software, need someone to be held accountable in such a situation and they also need support guarantee. Guarantee of support and insurance is not available with most of the open source products so people look for proprietary solutions. As for as security of open source products themselves are concerned, I believe they are more secure because security holes are more actively searched, found, and fixed in these products by people all over the world.

What do you think about the full disclosure of vulnerabilities?

I am against full disclosure of vulnerabilities. It does not serve any interest of people who are responsible for security related issues. Yes it may be helpful for hackers. As security professionals, we should be responsible to disclose security related things to only those people who will fix these problems (vendors or developers of open source products). Broadcasting information about vulnerabilities is not in the best interest of the security community.


What advice would you give to people starting to learn about intrusion detection?

I would suggest learning protocols headers and use of sniffers and protocols analyzers (e.g. Ethereal and tcpdump) first. Without knowing what protocols are, and how hackers exploit these protocols, it is difficult to implement a good IDS policy. For example, to detect port scanning, you must know how different flags in TCP header are used for port scanning. Similarly a sniffer is the most important tool under a security person's belt and you must learn and use it extensively.

What are your future plans? Any exciting new projects?

Other than my routine job at Dedicated Technologies, I am working on open source projects to integrate some of these products into solutions so that they can be easily used by security administrators. I am also working on a series of open source books as well.