RE: Alarm response strategies

["Rob Shein" <shoten () starpower net>]

I completely agree that you can have reactive systems.  With regard to how
this differs from an IPS, however, look at my post to the thread titled "IPS
Futures".  An IPS is significantly different from an IDS with active
response enabled, and I feel a lot more comfortable with how they behave.
But be mindful that even these are largely nascent technologies that even
now can be a headache.  And I'm not sure quite what your point was about the
firewall...

As for "smart reactive system," define "smart."  Obviously things can be set
up incorrectly, but what's the other end of the spectrum?  As far as a true
IDS, I can't recall one that I've worked with that I would trust with that
capability as of yet.  What I do see happening is for IPS and IDS to
converge to some degree, so that we can have the larger alert capability of
an IDS combined with the proactive (couldn't think of a better word to
offset reactive...just plain active, perhaps?) capability of an inline IPS.
This would give variable options for reacting to various types of attacks,
as well as more flexibility to configure the overall system to meet one's
needs.

> -----Original Message-----
> From: Frank Knobbe [mailto:frank () knobbe us] 
> Sent: Monday, July 26, 2004 6:51 PM
> To: Rob Shein
> Cc: '(infor) urko zurutuza'; focus-ids () securityfocus com
> Subject: RE: Alarm response strategies
>
>
> On Sun, 2004-07-25 at 20:35, Rob Shein wrote:
> > Given the fact that IDS are prone to false alarms (and easy to make 
> > trigger with spoofed traffic), it's the general consensus 
> that active 
> > responses are a bad idea.  For example, if I were to start scanning 
> > your network, and find myself suddenly blocked at the router or 
> > firewall, I would then spoof tons of UDP traffic from DNS 
> servers that 
> > I believed you might use.  Your firewall would then block 
> traffic from 
> > them, and bingo, I've just shut down your ability to resolve things.
>
>
> How does the inline-type IDS differ then? Or are you under 
> the impression that your spoofed traffic gets blocked both 
> ways? Why shouldn't a system be able to block unsolicited 
> inbound packets, but let traffic that initiated from the 
> inside out through without blocking it? (Oh wait... that's a 
> normal stateful firewall then, right?)
>
> My point is, you can have reactive systems. They just have to 
> be implemented in a smart fashion so that silly "default 
> attack scenarios" don't create the DoS of the older days 
> reactive systems. 
>
> Once you have a smart reactive system, it will behave like 
> the inline IPS. Except that it is reactive (doesn't block 
> first packet). But the advantage is that you can react from 
> more than one traffic monitoring point. With inline devices 
> you are limited to that one choke point. Reactive devices can 
> be triggered by sensors from all over your network.
>
> That should be the main differentiator between those systems, 
> not the intelligence (or lack of) behind it.
>
> Regards,
> Frank


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------