Fosdem Linux Pro 
 [ Home ] [ Interviews ] Free and Open Source Software Developers' Meeting 


 This Year

Developers Room


 Practical Info


 Press Room

-- ABOUT US --
 Support FOSDEM

 Promotional material

 The FOSDEM Team

 Our Sponsors

 The Story

 Contact FOSDEM




 Become a member

 Why register?


2003/02/04 - Yoann Vandoorselaere

Prelude IDS

An interview conducted by Alain Buret
Alain Buret - Please present yourself

Yoann Vandoorselaere - My name is Yoann Vandoorselaere, I live in France and I'm the founder and main developer of the Prelude Intrusion Detection System. I've worked on many free software project, such as libsafe, libpcap (a library for packet capture), the Nautilus file manager, OMS (Open Media System), libvo, the Linux kernel and others.

I'm a Free Software enthusiast.

Alain Buret - What decided you to start this new project ?

Yoann Vandoorselaere - I originally started Prelude in 1998 because of the lack of IDS in the free software world (I was not aware of any other IDS at this time). I was a system administrator at the time, and we were in need of such tools.

Also, I think there is no better way than experience for learning: I like rewriting something in an empirical fashion until I think it's perfect (well there's nothing perfect, so let say "good enough").

Alain Buret - It seems that you have two passions : Linux and security in Linux systems. Is there a particular reason for that ? What do you find attracting in the security world?

Yoann Vandoorselaere - Securing systems implies that you know how these systems work.

For example, in order to develop a Network Intrusion Detection System, you have to deeply understand how machines interact with one another, in heterogeneous network. This means you have to investigate deeply how the different communication protocols work.

Once you have done that, you have to deal with incompatibilities between vendors. Some respect RFC, other do not... And you have to provide workaround if possible.

Also, being in the security world implies that you are part of a race, where you investigate security flaws found by others, and try to find relevant solutions in order to fix them. Chicken and egg problem.

So, in order to answer the question, I would say that I love security because it's a domain where you have to understand the deep structure of things. And at the same time, you have to be generalist enough to handle the development of different kinds of IDS... Which is a kind of contradiction :)

Alain Buret - Prelude-IDS is your toy project. Prelude is a rather innovative Intrusion Detection System, can you explain us why and how it is better than other Intrusion Detection Systems ? How does it compare to commercial Intrusion Detection Systems ?

Yoann Vandoorselaere - Well, I don't want to be the one that will say "Prelude is better than xxxx IDS". I'm not the good person to do this. Prelude just reflects my picture about how we should deal with security problems in this world. And there are a lot of different points of view.

However, from my perspective, I think Prelude is more reliable than others IDS because it doesn't rely on a single source of information in order to detect intrusion. We have different kinds of sensors analyzing different kinds of information stream.

All the events generated by these sensors are centralized at a given place. From there, you can correlate events generated by these different sources, and deduce what has to be deduced.

Moreover, it's very easy to port existing security applications so that they can report events to the Prelude IDS system. For example, latest Libsafe releases include Prelude support. And we distribute patches for Snort, Honeyd and Systrace so that they can be made Prelude aware. We hope that in the future these patches will be included in release versions of these programs.

You might want to have a look at for further information about Prelude's architecture.

Alain Buret - Trying to prevent your servers to be attacked and cracked is an everyday battle. What technique do you think is the best: detecting and reacting, or preventing, or both ?

Yoann Vandoorselaere - Having a good IDS is worth nothing if you don't have a good security policy on your network. You might detect some of the attacks, but there is no way you'll detect them all.

Furthermore, reactive capabilities can be used in certain cases, but have to be applied with lot of caution because of the inherent risk of a self-inflicted Denial Of Service. This means you can't react against every attacker, or every kind of attack. You might defeat some of the attacks, but you won't defeat them all.

And even if you forget about all these problems, the time frame needed to take counter measure against a given attacker, which is present in every IDS product, might be large enough for the attacker to gain permanent access to your system using different techniques.

Detection and Reaction is not enough, and will never, ever be. You also need a rock solid security policy.

Alain Buret - How does Prelude-IDS react in case of high network load ?

Yoann Vandoorselaere - I can't answer this question without further precision on your side: as the Prelude Hybrid IDS is composed of several sensors, and Managers handling output from these different sensors. Each of these programs uses different solutions permitting them to handle high load.

Alain Buret - Is Prelude-IDS used in professional environments ?

Yoann Vandoorselaere - Yes, Prelude is used and deployed by several organisations, companies, and governments agencies in France and worldwide. I have no right to reveal their name thought.

However, it's only the beginning, and Prelude is less used than others IDS right now, because Prelude is a young project, and it's set of features/capabilities has started to be known recently.

Alain Buret - What are your expectations from your FOSDEM talk ?

Yoann Vandoorselaere - We will talk about the Prelude design and architecture. What we did, why we did it that way, and why we think a 'meta' IDS model (ability to gather information from different sources, host based, network based, and other) is more reliable than the other models.

We'll also talk about the facilities provided by the Prelude library (libprelude), which allow integration of third-party software into a Prelude system.

We expect this talk to make Prelude more widely known, and to provide useful information to user who wish to know the difference between Prelude and other IDS.


  Special announcement

will take place
on February 8 - 9 2003
in Brussels...

  FOSDEM search

  Search this site :


  Best background:
best background

Create the coolest Fosdem background design and win cool stuffs... More info

  Sponsors corner


 [ Home ] [ Interviews ] © FOSDEM 2002 - powered by Argon7