Saturday, September 29, 2007
Bejtlich on Anemone and End System Monitoring
Bejtlich's Blog on Anemone reminded me on the [under]value of tools like iplog (it seems to have disappeared from the Debian package repository, it must have been back in 3.0 days and I know there were 3-4 of these types of tools, portsentry was another one) that simply log 3-5 tuple (src/dst/proto and ports) are raved about when they come from a router (i.e. NetFlow) but this value of this on the end system never got the attention it deserved? Maybe because there was no decent way to do analysis? Or the sort of logging was integrated into host-firewalls or IPS? Not sure.
Anyway, as part of more normal new Debian workstation/laptop install, I would always enable udp/tcp/icmp logging and back in the wild west worm days (2001-2003?) there was pretty interesting stuff deep within the campus network of a large enterprise where I worked. And before I knew what a BBMD was I found it due to the UDP broadcasts to 47808.
So the belief that there should be an easy for "dumb" end-hosts (that may be constantly joining, leaving, moving from wired to wireless, etc.) to share arbitray security info and P2P architectures such as those provided by JXTA seem to be a logical means of doing so. Whether something like this ultimately proves to be deployable or even useful, we shall see, but there is a lot more development ahead before we can say.
(BTW: the diagram came from Chapter 4 of the JXSE 2.5 Programmers guide)