Environmental scaremongers tell us on Monday that the oil will run out in 25 years, bringing civilisation to a stop, and on Tuesday that global warming will drown East Anglia by the end of this century. No connection seems to be made; no-one stops to object that at most one of these predictions is likely to be true.  Security scaremongers tell us on Wednesday that email is so easy to tap on the Internet that we should beware for our credit card numbers, but when on Thursday the FBI say that tapping email on the Internet is so hard that they need a special `Carnivore' box at each ISP, the connection is again not made. If tapping email is really so much harder than opening the physical mail, are the dozens of encryption companies selling anything of value - or should the stock market regulators be taking a closer interest in their promoters? [Ross Anderson at Workshop on Economics and Information Security]

Let's be honest, security is fuelled by hype as the rest of IT. Vulnerability research and testing is a specific example of this. Talking about hype, the previous rulers of the security fad land were PKI and IDS; now the reign of identity management is slowly descending upon us.

P.S. If you haven't read Ross' book, I urge you to go and buy it. It is by far the most influential text on security I have ever read. If you decide not to go for the book, papers on his website are original and insightful and worth having a look.

  11:03:07 PM    

The shine is definitely off intrusion detection systems, and IDS vendors know it. Funny how IDSes used to be the coolest thing going--until people actually started using them.

The biggest complaint, always, is false positives. I constantly hear horror stories about IDSes spitting out reams of alert data that nobody has time to sift through. [Information Security].

The thing is that network IDS is sort of high-maintenance. It requires laborious initial tuning that has to be carried out each time something changes on the monitored network segment - guess how often this happen. Besides this it needs to be monitored by knowledgeable presonnel almost round-the-clock. Managed security services, such as those provided by Countarpane or ISS, are the answer, but even they don't come particularly cheap.

  10:42:21 PM    

"To provide edge security in this application-centric world, Gartner believes that application-level firewalls will be required for enterprises to enforce security policies at network trust boundaries. Gartner defines an application-level firewall as a device that inspects the contents of communications to implement application-specific security policies. Examples include the inspection of SOAP payloads to detect data-based attacks or other malicious payloads, the enforcement of security policies specific to sales force automation or customer relationship management applications, and the inspection of requests to retrieve, delete or modify files in a storage-attached network. By 2003, the rise of Web services will drive the first wave of application-level firewalls.

Although early-adopter, Type A enterprises will be willing to allow Web services connections directly to internal servers, risk-averse, Type B enterprises will require application-specific firewalls for high-value e-business applications and will continue to use network firewalls to shield trusted networks from external, network-level attacks. Application-level firewalls will be required to provide edge shielding for servers running Web-services-exposed applications. These firewalls will focus on a small number of protocols, primarily HTTP and SMTP in the Web services world, and they will require a high degree of application awareness to filter malicious XML constructs and encapsulations." [ZDNet]

  9:54:24 PM