Hi DU Admins
I asked about Polycenter Security Intrusion Detector.
Whether anyone was using it, how well it worked, what
performance hit it caused and any hints or suggestions
regarding configuration. I also asked about the security
of the PSID logs and mail messages.
Thanks to Alan Davis at Digital and Arno Hahma for their
replies.
Firstly both suggested the same obvious solution of having
the notifications mailed offsite to protect against tampering.
Alan sent a lot of information about the product which I won't
include here but which I can pass on to anyone who's interested.
There's a brief summary below.
I was really hoping to hear from someone who's actually using
the product but either noone on this list is using it or they
didn't bother to reply. I suppose one possibility is that
security conscious sites might not like to advertise which
security measures they're employing.
I may trial this product soon but for the moment I'll stay
with tripwire.
Brief summary of PSID:
o operates in real time.
o looks at a series of actions rather than a single action
to detect a security violation and avoid false alarms.
o can be configured to take counter measures itself without
human intervention.
o uses the audit subsystem to capture event information.
o preformance penalty depends on the number of events monitored.
The audit subsystem has the largest impact.
o can be configured to monitor a remote system.
o monitors a large range of critical security events.
Ian
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
_/ Ian Mortimer _/
_/ ian_at_physics.uq.edu.au ,-_|\ Department of Physics _/
_/ Tel: +61 7 3365 3436 / *\ University of Queensland _/
_/ Fax: +61 7 3365 1242 \_,-._/ St. Lucia, Brisbane _/
_/ v Queensland, Australia 4072 _/
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
Disclaimer: Speaking only for myself.
Received on Thu Jul 09 1998 - 01:49:36 NZST