RE: how to do intrusion detection right

[Gary Crumrine <gcrum () us-state gov>]

I think one thing not mentioned directly concerning the worth of IDS as a 
whole, is that like an NFR, or a firewall, or tools like Net Sonar, 
 Ballista, or whatever, they are just that.  Tools.  As a system 
administrator, or if you are lucky to be able to find and afford one, a 
security specialist, we all use TOOLS to make our jobs easier, and more 
efficient.  If I employ an IDS to catch some of the soft net noise hackers, 
then it has saved me time and made me more efficient.  Sure, I could sit 
and write my own scripts to do the same thing.  Heck, I bet I could even 
learn to make a nice little GUI for it too.  If I had the time that is, and 
my employer was willing to accept lower productivity because I was writing 
code, instead of performing my daily tasks.  Unfortunately, few of us can 
have that luxury.

IDS systems, even with their flaws and vulnerabilities, still have a place 
right along side the firewalls, routers, virus checkers tools we use today 
in order to keep the electronic monster on a leash.

Think about it, I used to think those electronic pets were stupid gimmicks, 
then I sat down with my firewall this morning and looked back at all the 
care and feeding it requires.  Who's the fool?

-----Original Message-----
From:   Sheila Or Bob (depends on who is writing) [SMTP:shsrms () erols com]
Sent:   Saturday, April 18, 1998 9:29 AM
To:     Nicholas Charles Brawn
Cc:     firewall-wizards () nfr net
Subject:        Re: how to do intrusion detection right

Nicholas Charles Brawn wrote:
> Would you then not run the risk of attackers masking hostile traffic by
> making it appear to look "expected"?
>
> Nicholas Brawn

Exactly!  The gabriel and other scan detectors are easily defeated by a
patient low level attack - spread things over a time period that is
beyond their threshhold, do things aperiodically.
Sometimes humans can discern something is out of the ordinary.
Sometimes they can't.

In the event of establishing a profile of the net "what is normal
traffic" with a new IDS, they can be confused with what I call white
noise.  so that things look like they are expected!
bob

> --
> Email: ncb05 () uow edu au
> Nicholas Brawn - Computer Science Undergraduate, University of 
Wollongong.
> On Thu, 16 Apr 1998, George J. Dolicker wrote:
>
> > I think perhaps what the intrusion detection system might do is not 
look
> > for something "interesting", but rather something "different".  Rather 
than
> > trying to define what is a problem, define what is NOT a problem... so
> > configure the IDS to smile upon traffic that is expected, and panic 
over
> > anything else.
> >
> > Same principal we use in firewalling:  that which is not explictly
> > permitted is denied.
> >
> > G.
> >
> > At 12:02 PM 4/16/98 MDT, Martin W Freiss wrote:
> > > When the administrator can tailor the IDS to unacceptable/interesting
> > > stuff on the net, what he does is transfer his own mindset about 
security
> > > to the IDS. I then have a machine that "thinks" like me, which thus 
alerts
> > > me about facts that I am already aware of - a useful thing that may 
save
> > > some work, but will not help me notice next week's bug being 
exploited.
> > > I may be stupid, but what is "interesting" is something I do not know
> > > before an intrusion attempt.
> > > Tomorrow's attack may use some technique that is "obviously" safe 
today,
> > > thus bypassing my (human or computer) filtering layer. Using a 
sufficiently
> > > "new" technique, my firewall will probably not notice that it has been
> > > broached. What _can_ help me is having a complete log of everything 
that
> > > has been going through the network, which I can then analyze to 
understand
> > > what has happened. An intrusion analysis system, if you will - which
> > > so far includes a large human component.
> > >
> > > -Martin

--
real address is shsrms at erols dot com
The Herbal Gypsy and the Tinker.