LinuxSecurity.com: Interview with Marcus Ranum CEO of NFR on Intrusion Detection, Linux, & SecurityJun 12, 2000, 09:00 (0 Talkback[s])
(Other stories by Dave Wreski)
"Recently I got an opportunity to speak with Marcus Ranum, Founder and Chief Technical Officer for Network Flight Recorder, developers of network intrusion detection products. He has specialized in Internet security since he built the first commercial firewall product in 1990. He has acted as chief architect and implementor of several other notable security systems including the TIS Firewall Toolkit, TIS Gauntlet firewall, whitehouse.gov, and the Firewalls FAQ. Marcus frequently lectures on Internet security issues, and is co-author of the "Web Site Security Sourcebook" with Avi Rubin and Dan Geer...."
"Can we start with having you explain what an intrusion detection system actually is, and a mention of the various types? What is the difference between misuse detection and anomaly detection? Host-based and network-based?"
"Marcus Ranum: An intrusion detection system is a security system designed to detect unauthorized accesses (or suspicious activity) within a system or a network. Host-based intrusion detection systems tend to focus on what's happening within the host itself. Network-based intrusion detection systems generally operate at an IP level, trying to infer attacks against the network from traffic and its contents. The host-based approach tends to focus on logs, application states, and kernel information for its data sources, while the network-based approach tends to focus on packets. Of course, there is always some crossover: some network-based systems look for host problems, and some host-based intrusiond detection systems latch the bottom of the host's IP stack and look at packets...."