“Recently I got an opportunity to speak with Marcus Ranum,
Founder and Chief Technical Officer for Network Flight Recorder,
developers of network intrusion detection products. He has
specialized in Internet security since he built the first
commercial firewall product in 1990. He has acted as chief
architect and implementor of several other notable security systems
including the TIS Firewall Toolkit, TIS Gauntlet firewall,
whitehouse.gov, and the Firewalls FAQ. Marcus frequently lectures
on Internet security issues, and is co-author of the “Web Site
Security Sourcebook” with Avi Rubin and Dan Geer….”
“Can we start with having you explain what an intrusion
detection system actually is, and a mention of the various types?
What is the difference between misuse detection and anomaly
detection? Host-based and network-based?“
“Marcus Ranum: An intrusion detection system is a security
system designed to detect unauthorized accesses (or suspicious
activity) within a system or a network. Host-based intrusion
detection systems tend to focus on what’s happening within the host
itself. Network-based intrusion detection systems generally operate
at an IP level, trying to infer attacks against the network from
traffic and its contents. The host-based approach tends to focus on
logs, application states, and kernel information for its data
sources, while the network-based approach tends to focus on
packets. Of course, there is always some crossover: some
network-based systems look for host problems, and some host-based
intrusiond detection systems latch the bottom of the host’s IP
stack and look at packets….”