Dailydave mailing list archives
Re: Semi-anonymized moderation.
From: "Chris Rohlf" <chris.rohlf () gmail com>
Date: Mon, 28 Jan 2008 13:13:58 -0500
NIDS was not always worthless. I think the attack volume is just too large now to monitor effectively with signatures with any hope of no false positives. Most of my NIDS work these days can be done with ngrep and a bash script because typically I am looking to find the malware-of-the-day. As for Dave's presentation, one time use 0day cannot be stopped, this is pretty clear to anyone in this industry. And no NIDS will detect it. And even if it does - its buried among 5000 other alerts for google chat and browser toolbar installs. In my experience, NIDS are slowly turning into mis-configuration/policy detection tools, which is fine, but doesn't detect an attacker. However some other Anti-* tools are still somewhat effective and relevant compared to nothing at all. Its entirely reactive but organizations that use the technology (not develop it) don't have many other options. The 'real problem' (bad software) - is not theirs to solve, but it is theirs to deal with. On 1/28/08, Kowsik <kowsik () gmail com> wrote:
After 5+ years of stopping this, stopping that, writing anti-malware, anti-dos, anti-backdoors, anti-vulnerablities, anti-scanners, anti-spoofing, anti-this and anti-that, it pretty much came down to "ENOUGH ALREADY!", for me. Being reactive just ain't fun. It gets pretty damn tiring after a while when for ever rule the ID/PS has, there are like a million exceptions on the network. No, I'm not just talking about evasions and obfuscations. One small step for the attacker, one impossible jump for the rest - especially with the current approach. This is not a dig on specific products or how they work. They do what they are intended to do reasonably well. However, the problem they all set out to solve is inherently intractable. K. On Jan 28, 2008 6:39 AM, Dave Aitel <dave () immunityinc com> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Post from Mark Loveless who is subscribed from a diff email and hit "reply all". My moderation gui drops anything from anyone not subscribed, so I'm "moderating" this manually. - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Dave my man. I agree that security is an arm's race for signature based products. Though should we throw out the baby with the dirty water? Is no firewall, VLANs, route filtering, IDS, AV, central management/logging, etc better than a lame one? And besides perhaps some witty vendor will come up with a new solution. :)I'll bite. I'd say as a person who has worked on multiple security products, it is a losing battle. The network is simply hostile. Forget the firewalls with holes in them to allow users to send/receive email, web traffic, IM, plus "trusted" vendors, suppliers, contractors, overseas divisions, and an increasing mobile workforce -- there are simple rules of physics to contend with here, and as a result the network on both sides of the firewall is hostile. If every exploit set the evil bit, we'd just look for that one thing. However any signature-based system has to look at all possible attacks. Now for even ASIC-based systems, you run out of memory real quick. This is the physics thing I mentioned earlier. Most IDS/IPS vendors have a ceiling limit on about 1800-2000 signatures that can be active at once. NO vendor ships with all 5k-10k signatures turned on. The machine would drop packets and grind to a halt. Therefore what signatures do you pick? Only the ones that affect your user base? What about home users coming in via VPN (doubly bad, you may not support the platform AND the communication is encrypted)? Do you think anti-virus companies have it any better? What about anomaly-based host systems? Arguably better, however there are two factors that prevent massive deployment: 1) You now have to run low-level code on all your systems. Aside from the technical issues that this may cause, your CxO types may have gotten burned when the last time code was loaded on every system, it didn't prevent some massive infection. Additionally, the Gartners of the world are quick to point out that the upper right quadrant is filled with signature-based companies anyway, so any consultants/sales people wanting to make a sale have to explain away that upper quadrant in that goofy chart. Hybrid systems that use sigs for the low-hanging fruit and anomaly detection for the hard stuff might creep into the upper right quad (hopefully you know what I mean by Gartner's upper right quad, google it if you don't know). 2) It is cheaper to deploy technology at the "choke points" instead of everywhere, and A/V is about all you can expect to get on the desktop nowadays. Besides the auditors of the world will tell your organization that due diligence is having that A/V there, on the Exchange server, and the fact you have a firewall pretty much has you covered from an audit standpoint. My solution would be to lock down the desktops and servers via hardening, run email and web browsers in sandboxes, and replace the firewalls with router ACLs that simply take large swipes at the traffic to help create a division from the outside world. Firewalls are simply glorified routers at this point anyway, as most are configured to allow certain types of traffic right in through the front door. I used to quote Frank Zappa's comments on modern jazz as "jazz isn't death, it just smells funny" in presentations, saying the same thing about perimeter security. Around 2002 or so I simply started saying perimeter security is just dead. I had a very serious discussion about this very topic with Bill Cheswick around the same time, with both of us threatening to write a paper or article on the topic. Every time I hear the argument that some level of security, even lame security, is better than NO security, I think about my Zappa paraphrasing. In my opinion, lame security is WORSE than no security, simply because most of the people involved (think CxO/pointy-haired boss types) live with a sense that they are being protected, when in fact they are not. The ones with no protection are not living a lie -- they are at least AWARE they really have no security. Mark - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFHlnf7cWrXS8hLmpIRAlV3AJ4xm+t46kKtUaFZ3zbVB9VmEUIPqwCfcNgi yEHFuPRkLlrQEI90G/h3RQg= =DhdV - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHnekTB8JNm+PA+iURAgnLAJ9/MYp/eoneY4TwIr50XRIlAZBgCgCgj8ME 48wF+iNSfnb0rOEBiF/eSpk= =d2Lw -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Semi-anonymized moderation. Dave Aitel (Jan 28)
- Re: Semi-anonymized moderation. Kowsik (Jan 28)
- Re: Semi-anonymized moderation. Chris Rohlf (Jan 28)
- Re: Semi-anonymized moderation. Jon Oberheide (Jan 28)
- Re: Semi-anonymized moderation. Chris Rohlf (Jan 28)
- Re: Semi-anonymized moderation. Brian (Jan 28)
- Re: Semi-anonymized moderation. Mark Loveless (Jan 28)
- Re: Semi-anonymized moderation. Brian (Jan 28)
- Re: Semi-anonymized moderation. Lance M. Havok (Jan 28)
- Re: Semi-anonymized moderation. Olef Anderson (Jan 28)
- Re: Semi-anonymized moderation. Stephen John Smoogen (Jan 28)
- Re: Semi-anonymized moderation. Mark Loveless (Jan 28)
- Re: Semi-anonymized moderation. Kowsik (Jan 28)
- Re: Semi-anonymized moderation. Sec urity (Jan 28)