RE: INtrusion Detection

[Gary Crumrine <gcrum () us-state gov>]

OK Tom, you have managed to poke holes in every product on the market...now 
how do you propose we fix the problems?  The need is definitely there, no 
one will argue that...so what is a guy/girl to do?  Are you suggesting that 
we go without anything?   That even in the limited functionality presented 
by these products, that they should not be used at all?   I disagree. 
 Anything that enhances the security of someone's system is welcome, and 
adds value.

Nothing is 100% safe.  A determined, knowledgeable group can take out 
anything.  I would think that any tool that does provide increased security 
is viable.  Do they work in all cases?   Nope    Do they offer false 
security?  Only to the unknowing.  I think the IDS products we see on the 
market today represent where the Firewall industry was a few years ago. 
 Look where that is now, multi billion dollar industry, and they still can 
not say that you are 100% safe.  With the advent of the network appliance 
products coming to market these days, the deathknell is sounding.

You are right in that some IDS advertisements do stretch the limit a bit, 
but no more than the claims by the firewall vendors.  Pricing seems to 
indicate that they feel the products are right up there with firewalls.  I 
believe in this so much, that I think you will see a big push for LEADING 
Firewall technology companies will begin to incorporate this functionality 
in their product as a way of marketing their product.

The bottom line is that what ever you are talking about, be it firewall 
technology, or IDS systems, OS's whatever, it comes down to the person who 
is configuring the beast and whether they exercise due diligence in their 
work.  These IDS products are nothing more than a tool to be used in a 
total threat management program.  If you got the bucks to spend, I think 
the return on the investment is good.

Thanks for the input

My this thread just keeps going and going...I can't remember when we had 
such a long and intelligent discussion on a given subject without 
everything evolving into a mud slinging contest.   Way to go people!!!
-----Original Message-----
From:   tqbf () secnet com [SMTP:tqbf () secnet com]
Sent:   Wednesday, February 18, 1998 1:17 PM
To:     firewall-wizards () nfr net
Subject:        Re: INtrusion Detection


> It was not until the SNI paper that some light was shed into the basic
> design flaws and vulnerabilities of network IDS's.

Actually, Vern Paxson's "Bro" paper (presented at Usenix, you can
download at http://ftp.ee.lbl.gov/pspers/bro-usenix98-revised.ps.Z)
beat us to the punch. For people more interested in how one could work
around the IDS problems we discovered, Paxson's paper is more valuable
than ours. Certainly both are well worth reading. =)

> Before it every IDS
> vendor would claim their software was not vulnerable.

It would appear that you are not aware of what the vendors are claiming
right now. What I have seen change since the release of our paper is that
the vendors have invoked the all-powerful "nothing is 100% secure" clause,
and ignored our work entirely (although I assume there are bugfixes
planned at some time in the near future).

> How can one
> recommend a product over another without having such information?

The magazines seem to get by fine with little or no knowledge of what it
is they're evaluating. The easiest and most effective (for a magazine) way
to evaluate security products is to rank them in order of advertising
dollars spent.

------------------------------------------------------------------------  
-----
Thomas H. Ptacek                                        Secure Networks, Inc.
------------------------------------------------------------------------  
-----
http://www.enteract.com/~tqbf                           "mmm... sacrilicious"