IDS mailing list archives
Re: Changes in IDS Companies?
From: Aaron Turner <aturner () pobox com>
Date: Wed, 23 Oct 2002 12:10:44 -0700
On Wed, Oct 23, 2002 at 01:45:57PM -0400, Rob Shein wrote:
(All snips are the quotes by Martin Roesch.) Aaron Turner wrote: <snip>
<snip my earlier comment>
Ok, here's problem #1. It sounds like you're saying, "IDS technology works well enough, and is part of this/DoS isn't that much of an issue."
I'm not actually sure what you're saying there. I hope you don't think I'm saying that DoS attacks aren't an issue for NIPS (or any network device for that matter).
The two don't work together. Everyone on this list knows (I hope) how much easier it is to DoS an IDS than it is to do the same to a firewall. Furthermore, this totally fails to address Marty's excellent point of "what if" with regards to such a scenario.
We can say "what if" about everything and anything. Pointing out that IDS technology has these same problems doesn't help anyone. I fully expect someone evaluating any IDS based technology to be asking the vendor questions about how they deal with various kinds of attacks and their limits. The one thing I am certain of is that as time goes on, they'll get better, just like every other network security device has.
<snip>
<snip my comments about Hogwash>
It would fail to find an attack that Snort fails to find.
If by "It" you mean Hogwash, then why? If not, then what are you talking about, and why?
And there always will be such attacks, furthermore. Conversely, HIDS has a much easier time seeing a sudden change to a file that is not supposed to change, and thus the argument for layers.
Oh, don't get me wrong... I'm all for defense in depth. And while I agree that HIDS has some technological advantages over network based IDS, it also has serious management and cost disadvantages over them as well. I also think that network based IDS will close the securtiy gap a lot faster than HIDS will the management gap. Cost will probably stay about the same. Basically, organizations will run network based IDS everywhere and HIDS only on a few critical systems. And I think most IDS companies realize this, which is why everyone hypes their NIDS/NIPS and seems to be putting in a lot of $$$ into that technology and less so their HIDS. (I could be wrong about this one, it's just a gut feeling, I haven't done any studies or anything like that.) <snip comments about HA NIPS>
Uh, if one firewall is unstable because its technology is immature, how is adding the complexity of clustering going to improve the situation?
That's why companies built hardware load balancers. Dedicated devices which are now extreemely well tested and remove most of the complexity from the device actually being load balanced. And I don't think anyone will disagree that the technology overall will stabilize and improve.
I don't remember people doing such things back when firewalls "weren't there" yet...I remember them either implementing less effective ones in the name of uptime, or passing on them altogether.
I guess that depends on who you talked to and what their security requirements were. My experiance was that effective firewalls were considered a requirement for doing business and while downtime caused by them was highly frowned on, it was better then the alternative (being broken into).
<snip>I think this political battle is going away. Companies are realizing that a firewall isn't enough. NIDS are great, but they don't solve the basic problem of, "Now that I've been rooted now I've got to pull people from their current projects to rebuild the servers." Since NIPS takes a pro-active rather than reactive methodology, it solves for this problem like no other (at least current) solution can.No, NIPS _could_ solve this problem like no current solution can. It's not there yet. And still...what about the attack it doesn't know how to see yet?
Again, that "what if" argument. No vendor (that i know of) is claiming 100% detection or security. So why are you worrying about things they don't promise? Secondly, we all know that the *majority* of attacks aren't some new, super-elite, secret expliot, but rather attacks that have been well known for some time. If it takes care of the majority of attacks, and lets the security group handle the few esoteric ones that get by then it's probably money well spent.
HIDS/HIPS is a *lot* more work to maintain then AV. Nobody tunes their AV solution, but people spend a lot of time tuning their *IDS solution, and frankly, most of the management tools so far suck. Compare Checkpoint's 3 tier management solution to the IDS solutions out there and you'll understand what I mean. And again, put a few load balancers around it (even use your existing firewall L/B's) or install something like StoneBeat and failure issue becomes moot.Again, HA is not something you can just slap on to an immature and unstable technology to make it better. And once upon a time, AV used to be a total nightmare in the enterprise. It matured, just as HIDS has been doing.
I'm sure it is maturing, but honestly I just see it getting more and more complex rather than easier to use. Organizations can afford to deploy a network IDS/IDP sensor (or HA cluster) for a whole network, even if it's difficult to manage because there are relatively few devices. You can't say the same for HIDS. Hopefully it will get a lot better so people will seriously consider using them- I just don't see it happening soon (next 12-18 months). <snip my comments on dropping traffic/accuracy>
The problem is not with accuracy, but with ambiguity. Normal traffic is not the white-picket-fence model of conformity it needs to be to be able to draw black and white distinctions between "good" and "bad" traffic in a totally reliable way. Furthermore, "bad" traffic can differ only slightly from "good" traffic, the only difference being a distinction that is not visible on the wire, and the attack can only be detected after is passes. A SYN flood looks a hell of a lot like a packet capture of www.cnn.com every time a major news event breaks. You have to wait until you get/don't get SYN/ACKs back to know for sure (unless you've managed to install one of your sensors on the attacking network). Increased usage of IPSEC encryption will mean increased fragmentation as packets are decrypted. And there are many other situations, some of which have probably not even been thought of yet. This is just being addressed now, in the IDS space...do you really want to let it control the nature of traffic on your network so soon?
There are different kinds of "abmiguious traffic". Your example of a Syn is one, but reality that's pretty easy to fix- just about every firewall nowadays prevents Syn floods, these same methods can be used in an NIPS. Heck, NIPS doesn't even need it if your firewall does it already. The harder things are like IP fragmentation with overlapping fragments. Different OS's will defrag them differently, which may or may not then have an attack (depending on how you do the defrag). Three key issues with this one: 1) A traditional NIDS can neither find the attack (too computationally difficult to do in real time for all the different IP stacks) nor do anything about it. The most it can do is alert that it found some overlapping fragments. 2) A HIDS/HIPS can detect the attack in the fragments and prevent it, but only on the host it's installed on. Furthermore, it can't protect other devices (terminal servers, routers, non-supported OS's, etc). 3) A NIPS (which by my definition must be inline) can detect the ambiguity and prevent it. You however are gambling that the overlapping fragments are indicative of an attack. Generally speaking that's a gamble I'm willing to take. My personal feeling is that cost/benifit the NIPS wins this one. YMMV. Lastly, the way I see the NIPS market going, administrators will be given the choice to exactly specify when and where to drop packets. This will help reduce the risk based upon each organizations needs.
I have to agree 100% with Marty, and say this: "Yes, it's promising. Yes, it's in demand. Yes, it's worth pursuing, whether for innate value or because the market wants it. But it's not as good as most IPS vendors are claiming yet, period."
Most vendors aren't even doing inline right now (mostly firewall/router notification) which I'd agree doesn't meet their claims- not by a long shot. The few vendors that are doing inline are getting there (I don't see anyone their yet), and network based IDS technology seems to be maturing faster than firewalls did in general. -- Aaron Turner <aturner at pobox.com|synfin.net> http://synfin.net/aturner They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery.
Attachment:
_bin
Description:
Current thread:
- Changes in IDS Companies? Samuel Cure (Oct 14)
- <Possible follow-ups>
- RE: Changes in IDS Companies? Avi Chesla (Oct 15)
- Re: Changes in IDS Companies? Martin Roesch (Oct 16)
- Re: Changes in IDS Companies? scottw (Oct 16)
- Re: Changes in IDS Companies? Aaron Turner (Oct 16)
- RE: Changes in IDS Companies? Rob Shein (Oct 23)
- Re: Changes in IDS Companies? Aaron Turner (Oct 23)
- Re: Changes in IDS Companies? Martin Roesch (Oct 16)
- RE: Changes in IDS Companies? J. Foobar (Oct 16)
- RE: Changes in IDS Companies? Karl Lynn (Oct 16)
- RE: Changes in IDS Companies? Chris Petersen (Oct 16)
- Re: Changes in IDS Companies? roy lo (Oct 16)
- RE: Changes in IDS Companies? Oliver Petruzel (Oct 17)
- RE: Changes in IDS Companies? Mike Shaw (Oct 18)
- Re: Changes in IDS Companies? Frank Knobbe (Oct 18)
- Re: Changes in IDS Companies? Raistlin (Oct 31)
- Re: Changes in IDS Companies? Scott Wimer (Oct 31)