Interview with Rafeeq Ur Rehman, author of “Intrusion Detection with SNORT”

Who is Rafeeq Ur Rehman? Introduce yourself to our readers.

I am working as Managing Consultant at Dedicated Technologies Inc. where we provide services related to enterprise security and IT management. In my spare time, I also work on open source and free software projects with my friends at Argus Network Security Services. We have made a free version of Snort based EasyIDS for Linux as a community service. I have bachelor and masters degrees in Electrical and Computer Engineering from the University of Engineering and Technology Lahore. I have authored four books, two of these are under Bruce Perens’ Open Source Series. This series is aimed at creating open books which are feely downloadable and modifiable. I believe that this is an excellent community service to promote open source software.

How did you get interested in computer security?

It started with my Masters Degree thesis where I had to test efficiency of some firewall products. Since then I have been working with security products one way or the other. The computing and networking infrastructure is a universal asset and all of us are benefiting from the ubiquitous computing resources available all over the world. I think working for security of this infrastructure is more than a job and is very important for business as well as future of computing community itself. Best of all, it provides new challenges every day and I love it.

Do you have any favorite security tools?

My favorite tools are Nessus and nmap. These are great tools for assessment of security of your networks and to plug holes that may be exploited by hackers. Other than these two tools, my best security friend is Ethereal which is an excellent protocol analyzer.

How long did it take you to write “Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID” and what was it like?

It took about 10 months to write and publish the book. This is published under Bruce Perens’ Open Source series. This was one of the first initiatives to publish documentation on Snort in the form of a book and I am glad it worked well.

In your opinion, what are the most important things an administrator has to do in order to keep a network secure?

Being proactive is the single most important thing for security administrators. It is good to subscribe some security alert mailing lists to keep yourself up-to-date on new security issues. Keep the network holes plugged in all times, which is a continuous job. Intrusion detection is one way of proactive approach where you keep an eye on what hackers are trying to exploit. Based upon IDS data you can work on problems before they grow in magnitude. That is why use of Snort and other tools is very important and spending resources on IDS is justified. And beware of internal users! I repeat, beware of internal users.

Based on your experiences, do you find proprietary software or open source software to be more secure?

Debate of using open source and proprietary software for security related applications is not about which software is more secure; it is about support and responsibility in case of any security breach. Most of the business, who prefer to use proprietary software, need someone to be held accountable in such a situation and they also need support guarantee. Guarantee of support and insurance is not available with most of the open source products so people look for proprietary solutions. As for as security of open source products themselves are concerned, I believe they are more secure because security holes are more actively searched, found, and fixed in these products by people all over the world.

What do you think about the full disclosure of vulnerabilities?

I am against full disclosure of vulnerabilities. It does not serve any interest of people who are responsible for security related issues. Yes it may be helpful for hackers. As security professionals, we should be responsible to disclose security related things to only those people who will fix these problems (vendors or developers of open source products). Broadcasting information about vulnerabilities is not in the best interest of the security community.

What advice would you give to people starting to learn about intrusion detection?

I would suggest learning protocols headers and use of sniffers and protocols analyzers (e.g. Ethereal and tcpdump) first. Without knowing what protocols are, and how hackers exploit these protocols, it is difficult to implement a good IDS policy. For example, to detect port scanning, you must know how different flags in TCP header are used for port scanning. Similarly a sniffer is the most important tool under a security person’s belt and you must learn and use it extensively.

What are your future plans? Any exciting new projects?

Other than my routine job at Dedicated Technologies, I am working on open source projects to integrate some of these products into solutions so that they can be easily used by security administrators. I am also working on a series of open source books as well.