On Dec 26, 2006, at 4:19 PM, coderman wrote: > the only example that comes to mind is distributed / collaborative > anomaly detection systems which become more robust with a larger > number of entities and interactions to observe.
While scale introduced complexity in terms of opex and maintenance, I'm not sure it carries the distinction of qualitative complexity implied by the previous poster. Perhaps a better example would be an anomaly-detection system which correlates multiple types of telemetry with differing paradigms (say, NetFlow alongside syslog) in order to increase the fidelity of detection/classification/traceback/analysis. Another example would be introducing antispoofing functionality into a network infrastructure by deploying uRPF, IP Source Verify, iACLs, et. al. - this does introduce more complexity into the system, but it has very real security benefits both for the deploying organization as well as other organizations who in some fashion interconnect to one degree or another with the deploying organization (i.e., everyone on the public Internet, business partners interconnected via extranet WAN links or VPN tunnels, etc.). Enabling telemetry export/ collection/analysis, deploying iACLS/rACLs/CoPP, enabling telemetry export to collection/analysis systems, and many other similar activities are also examples of increased complexity leading to better security. As an aside, Slammer did not in fact take down 'much of the Internet'; some SP infrastructure was affected, but the vast majority of networks affected were enterprise networks. http://www.caida.org/publications/papers/2003/sapphire/sapphire.html http://www.beyondbgp.net/pubs/2003/bbgp_iwdc03.pdf http://momo.lcs.mit.edu/slammer/ http://www.eecs.umich.edu/~zmao/Papers/SPECTS06-camera.pdf ----------------------------------------------------------------------- Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice All battles are perpetual. -- Milton Friedman _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
