Re: Important Comments re: INtrusion Detection

[Adam Shostack <adam () homeport org>]

Kurt Ziegler wrote:

| >>>One other big win that Darren Reed identified at Usenix was that a proxy
| >>>IDS can't drop packets. You can't overload it and sneak packets past 
| that
| >>>way. If the IDS can't read the packet, it doesn't get proxied.
| >>>
| 
| *** you can not sneak packets by a sniffer-based tool either (anything that
| gets by is a bug and needs to be fixed). The Sniffer based IDS sees ALL the
| traffic that runs over the network and can identify the same abnormalities
| as the proxy and sees traffic that proxy may not see.

If the sniffer's packet queue is overloaded, it misses things.  If a
proxy's queue is overloaded, it drops packets.

To expand: Assume a system running a 1 mip with a small memory that
can hold 100 packets for processing.  If processing each packet takes
10,000 instructions, then the IDS can process a packet in 1/100 of a
second.  If it gets 200 packets in a second (spread evenly in arrival
time), then after 1/2 a second, it has processed 50 packets, and has
50 more in the queue.  If this continues for another half second, it
will have processed 100 packets, and have 100 packets in the queue.
If trafic flow continues, it will, in the next half second, process 50
of the messages in the queue, and need to maintain a queue of 150
packets, which exceeds its memory size.

        The above machine is small because I like engineering on small
machines.  (Moore's law protects us from all sorts of hard work..)The
example clearly scales to 500 mip machines with gigs of ram and fast
ethernet.

        If this is a proxy, it can choose to 1: drop pcakets or 2:
send them on unmolested (ignore them).  If this is an IDS, the drop
packet option is different.

Adam

Disclaimer: Netect is building a sniffer based IDS.  I work for
Netect.


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume