IDS mailing list archives
Re: Changes in IDS Companies?
From: "Dominique Brezinski" <dom () decru com>
Date: Wed, 13 Nov 2002 11:36:09 -0800
Gary, you missed my point (and I was not entirely clear about it in the first place). I totally support the concept of analyzing network traffic to detect things out of whack, suspicious, or down right naughty, but that is totally different than having a system, which uses imperfect signatures on a fundamentally bad data source analyzed on a system dropping packets, implement your *defense* mechanism. I won't repeat my philosophical take on the subject (you can read it in the message I sent last week if you care), but my point is that there are better places to spend our research time and money for building defenses for our systems than network-based IPS/GIDS with response. Given that, right now security looks like battle field medicine--you do what you can until you can do the right thing. Using in-line NIDS with response mechanisms is like using a butterfly enclosure on a 6" laceration...eventually it needs real stitches. I understand the constraints of doing security in real large-scale operational environments. I worked for a company who's business depended on the security of 80+ Internet exposed Alpha boxes running Digital Unix and that many more Suns. 64-bit Digital Unix did not make it easy or possible to cost-effectively deploy the host-based protections we wanted, so our only option at the time was to do more network monitoring. However, we still managed to keep the software configurations on the machines controlled, the functionality tight, and for that the standard NIDS and their signature databases were useless to us. If we knew about a vulnerability, we found a way to fix it on the host. The network monitoring provided insight into recon, DDoS, and suspicious activity. All said and done this strategy effectively protected one of the largest Internet sites. As I have said before, in the trenches you do whatever is cost-effective and meets your needs, but that doesn't mean what you do is actually any good :/ Dom ----- Original Message ----- From: "Gary Golomb" <gee_two () yahoo com> To: <focus-ids () securityfocus com> Sent: Tuesday, November 12, 2002 6:03 PM Subject: Re: Changes in IDS Companies?
For a smart-ass response, see below....-----Original Message----- From: Dominique Brezinski [mailto:dom () decru com] Sent: Tuesday, November 12, 2002 5:29 PM To: detmar.liesen () lds nrw de; focus-ids () securityfocus com Subject: Re: Changes in IDS Companies? For a smart-ass response, see below.... ----- Original Message -----From: <detmar.liesen () lds nrw de> To: <focus-ids () securityfocus com> Sent: Monday, November 11, 2002 11:40 PM Subject: AW: Changes in IDS Companies?<snip>I don't have enough practical experience to tell if the following idea
is
good,but I suggest using a GIDS as a protecting device with just the mostimportantsignatures that are knownt to reliably detect/block those attacks we
fear
most:-worms -trojans/backdoors -well-known exploitsI hate to state the obvious, but if we know enough about these threats
to
write a signature to detect them, then we know enough to re-configure
our
systems to be immune to them. Having a GIDS protect against such things just leads to a false sense of security.Additionally, NIPS vendors should always maintain a list of those mostcommonand most dangerous attacks that also gives information about known false-positives for these signatures.Yeah, so we can patch or re-configure or systems to be immune to vulnerabilities and not use their products ;> On a good day signature-based NIDS cost organizations money to run for
no
actionable return....On a bad day they leave the organization feeling secure when they are not.I hate to state the obvious, but patching and reconfiguring every system
at the whim the
worm/exploit/vulnerability d'jour in a multi-thousand node environment is
not really THAT easy.
Heck, I'd challenge the idea that it's even possible in the first place.
In fact, let's not kid
ourselves; this is not just a problem for multi-thousand node
environments...
So on a good day, signature-based (or methodology-"X" based) IDSs give us
the visibility into
activity that we really don't have a better way to identify - that is,
things that are not "good,"
"bad," "true," or "false"... It's visibility into things that are
"suspicious."
Should that make anyone feel "secure?" I don't think so. I think "aware"
is a better choice of
words, but this isn't a discussion about semantics... It's the whole point
of IDS that people seem
to be forgetting, or like me just getting confused as hell by all the
propaganda from the
marketing machines of the security industry. The point of IDS is not to
replace firewalls or
integrate/morph into "application based proxy router 5 speed blenders."
They sit out-of-band and
just watch all the network activity they can, and in doing so you are
afforded a luxury that no
other security technology can provide (ie: the ones that actually "secure"
you network). They give
you the flexibility to say "this *might* not be legitimate activity. If it
is, that's ok because
we're out-of-band and simply triggering an alert is not going to break
anything. If it isn't,
well, here is more information for dealing with the event." It's a passive
tool used for automated
log parsing and auditing existing protective security mechanisms because
when you're out-of-band
like that, you're allowed to take liberties those other in-line methods
cannot - nothing more.
Can you integrate methodologies born from ID research into other products?
Of course, which if I
was paying attention correctly were the early points of this thread. And are fully patched and perfectly configured networks a better solution?
Sure. I think you were
privy to situations recently where fully patched and up-to-date "secure"
systems weren't immune to
being remotely compromised because - specifically - of the "secure"
encryption services running on
them. Of course, in this case having a [signature-based (or
methodology-"X" based)] IDS that could
alert you to a "no job control" error on the wire in presumably encrypted
traffic would have been
decent. At least, it worked in the cases I saw, but it could just be
perspective. IDS is what you
make of it. __________________________________________________ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2
Current thread:
- RE: Changes in IDS Companies? Kohlenberg, Toby (Nov 02)
- RE: Changes in IDS Companies? Kevin Timm (Nov 04)
- <Possible follow-ups>
- RE: Changes in IDS Companies? Frank Knobbe (Nov 02)
- Re: Re: Changes in IDS Companies? Proxy Administrator (Nov 02)
- Re: Re: Changes in IDS Companies? Proxy Administrator (Nov 09)
- Re: Re: Changes in IDS Companies? Aaron Turner (Nov 11)
- Re: Changes in IDS Companies? Andrew Plato (Nov 11)
- RE: Changes in IDS Companies? Kohlenberg, Toby (Nov 13)
- IDS for DataBase Systems. Hemant Ramnani (Nov 13)
- Re: Changes in IDS Companies? Gary Golomb (Nov 13)
- Re: Changes in IDS Companies? Dominique Brezinski (Nov 13)