Slashdot Mirror
Biological Network Security
mercut writes: "A friend of mine recently wrote a Guest Feature on SecurityFocus about Biological Network Security. It has some interesting implications and I thought the /. community could provide some good perspective into IDS communication and security."
Comment removed based on user account deletion
but the implementation will be a bear. First there is the relatively low hurdle of standardizing communications between IDS's. The IETF has been working on such a format for a while.
The main problem, though, will be in establishing automatic systems that are able to judge "threat levels" and act accordingly. People will sign on to such a network only if it's more likely to benefit than to inconvenience them. Such a system won't be of much use if it requires human intervention every time an alert goes up, but it is notoriously difficult to program computers to take the place of simple human judgement.
The main problem with your next step is that it relies on Joe User becoming smarter. It also completely ignores a DDoS attack. Better passwords does not stop attacks from occuring.
Computers were built to do complex things in shorter times than humans. Recognizing and acting upon those attacks seems to be a natural evolution of something computers should be doing, not relying on Joe User to get smart.
The thought that everyone will accomplish these things seems less likely than a "Biological System" being implemented.
Can you imagine the number of people who'd have to co-operate to make this happen? And it wouldn't even be possible for CONGRESS to make it happen, since the Internet is International now.
However, there is already a good amount of work done to secure the Internet - take a look at Bind 9 and its secure DNS, IPv6, ISP border address verification, etc.
The foundations of the failure of these ideas is that of "trust" - who do you trust, anyway? What happens when somebody you trust suddenly changes heart?
Following your representation of the "biological" model, can you successfully argue for "biological" home security? How many houses do you know don't lock their doors and rely on super-intelligent robots or dogs to defend them?
I thought so.
Notice that even your "biological" model breaks down for biology! Nearly every organism has skin, an exoskeleten, cellular wall, etc - in other words, a biological firewall!
These other methods work in conjunction with a good firewall, but the firewall is here to stay.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I would say that both points are valid, a system is usually compromised by an outside person finding out INSIDE information. (passwords, p2p, trojans,) If access were locked down at the USER or NODE level then the 733t hax0r has a big box of cookies with no milk to dunk them in. That coupled with an outside defense system (firewall), trebled with a "compromised network" response (biological defense) would make a lockdown absolute.
This however gives a very false sense of security without stiff penalties for violating the security policies. Remember, security is only as secure as the *least* secure factor. or person.
http://cincyboys.blogspot.com/ Everything Cincinnati. Including the word 'Finnih'
When the attacker has human-level intelligence, on the other hand, the immune system folds like a beat puppy - thus the success of poisoners. To defeat poisoners you have to harden your kitchen.
So computer immune systems are liable to work, as long as intruders are no smarter than bacteria. That oughta keep out the script kiddies, though...
You say: A really good administrator and network architect can create a secure, robust, and fully functional environment
today, right now, with off the shelf products (OpenBSD to start).
Yes, and a REALLY GOOD programmer won't have buffer overflows or memory leaks, and a REALLY GOOD secretary won't reveal private data by social engineering or click on email attachments, and a REALLY GOOD..., oh, never mind.
Any security policy that depends on the whole human race suddenly getting genetically superior to what it is now is a non-starter.
Humans are always the weakest link in any security system. Adaptive system won't help if you have idiots setting them up, running and using them. Education people, education. That's what's needed.
Higher Logics: where programming meets science.
Semi-permeable membranes, aka firewalls. A person's skin acts as a pretty good firewall, allowing certain substances in or out and is mostly successful. It is possible to exploit it through making harmful substances appear to have the signature of allowed substances, in the same way that allowing inbound connections of any kind permits other connection types to mimic it: eg, hijacking a terminated telnet connection and sending traffic in the reverse direction. I can't think of a skin analogy for access-list allow host port established syntax, but I'm sure one exists. Firewalls thus play an important part of a biological system.
Complex system interactions. If one were to use an individual cell as an analogy for a computer network and pathways into and out of the cell as the routes through the firewall then you come close to the biological analogy proposed in the article. Note that cells do not in fact advertise that they are under attack from viruses. Other cells notice that a virus attack in underway and react accordingly, with varying degrees of success. It is this approach that would be more useful to take by analogy from biological systems and apply to the computer/network security field. The same problems exist.
Firstly there is the problem of the existing IDS not noticing an intrusion or failing to take sufficient action, such as for any biological infection which causes the death of the host. The biological solution to this is to immunise the system by exposing it to a non-lethal form of the pathogen to educate it for what to look for. A virus-scanner is a good example: Virus signature updates are the computer/network security version of immunisation.
Then there is the problem of overreaction. In a biological system this is equivalent to the so-called '20th Century Syndrome' of boy-in-bubble fame. The biological system's IDS incorrectly registers normal operations as an intrusion and acts as it would for a normal intrusion, causing illness or death. This is a 'false-positive' reaction and is even more likely in a poorly designed IDS. As an example, reference the number of false positives generated by end users who install ZoneAlarm or equivalent personal firewalls. This is the same 'Microsoft is DoS-ing me!' argument mentioned by another respondent.
So, the analogy has merit, but is poorly expressed in the article. I wish to point out that the main advance in IDS and security in general is not the establishment of a new analogy, paradigm or any other buzzword. I believe there are two key aspects that become increasingly important:
1. Correctness of implementation. This is fixing inherent security problems that allow infection to occur. This requires hardening of software, systems and networks. Most people in the field acknowledge this to be true.
2. Greater correlation. This is the ability to more correctly diagnose likely causes from symptoms. The security administrator becomes the highly trained doctor, using knowledge gained from analysis of known pathogens, methods of attack and problems inherent in existing symptoms and uses this knowledge to faster and more accurately diagnose root causes, and prescribe a solution. The use of tools, preferably automated, greatly increase the effectiveness of this approach. I believe it is in this area that the greatest advances have yet to occur.
Just because you're paranoid doesn't mean they're NOT after you.
The human body (used here only because it's the most familiar to the average person) works. It has some problems, but the design is solid.
I think the human body can only be said to work in the statistical sense. Pick any given cell, and you'll find that the body (any complex organism, really) is a pretty dangerous place. The body works as designed because the component parts are unbelievably vast in numbers and practically (in fact, literally) disposable.
Stephenson dealt with an idea like this in The Diamond Age, his book about nanotech. The idea is that, because of an absurd but logical application of economies of scale, it's about as expensive to produce one nanotechnological computer as it is to produce one trillion of them.
If we lived in a world like that, where fairly autonomous disposable computers could be practically manufactured and used, the "computer network as biological system" idea might make some sense.
Remember that life as we have observed it is basically tuned to the idea that the problem is hard, but the raw materials are cheap and time is no object. The only thing that situation has in common with our world is that the problems are hard; in our case, the materials are really expensive (in dollars, but also in labor and opportunity cost) and time is of the essence.
That's not an area in which biology does very well.
You can only secure yourself for known forms of atack. In the begging of the internet, as far as I know, were indeed very insecure, since no one never thougth of atacks coming from the network. The intenet began to be secured after the first worm were made that was realy a great-grand-father of the nimda that used a combination of shell scripts and compiled code to propagate and installing it self and it did propageted as fast as wild fire, the net was almost shuted down because of it. After that the net wasn't safe anymore.
Careless? No, I don't think so. You simply can't prevent something that yuo don't even know where it is coming from. No one would think to protect a city against a comercial airplane, now I bet people think about that, rather seriously.
[]'s Victor Bogado da Silva Lins
^[:wq