IDS mailing list archives
RE: Alarm response strategies
From: "Rob Shein" <shoten () starpower net>
Date: Mon, 26 Jul 2004 20:27:23 -0400
I completely agree that you can have reactive systems. With regard to how this differs from an IPS, however, look at my post to the thread titled "IPS Futures". An IPS is significantly different from an IDS with active response enabled, and I feel a lot more comfortable with how they behave. But be mindful that even these are largely nascent technologies that even now can be a headache. And I'm not sure quite what your point was about the firewall... As for "smart reactive system," define "smart." Obviously things can be set up incorrectly, but what's the other end of the spectrum? As far as a true IDS, I can't recall one that I've worked with that I would trust with that capability as of yet. What I do see happening is for IPS and IDS to converge to some degree, so that we can have the larger alert capability of an IDS combined with the proactive (couldn't think of a better word to offset reactive...just plain active, perhaps?) capability of an inline IPS. This would give variable options for reacting to various types of attacks, as well as more flexibility to configure the overall system to meet one's needs.
-----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] Sent: Monday, July 26, 2004 6:51 PM To: Rob Shein Cc: '(infor) urko zurutuza'; focus-ids () securityfocus com Subject: RE: Alarm response strategies On Sun, 2004-07-25 at 20:35, Rob Shein wrote:Given the fact that IDS are prone to false alarms (and easy to make trigger with spoofed traffic), it's the general consensusthat activeresponses are a bad idea. For example, if I were to start scanning your network, and find myself suddenly blocked at the router or firewall, I would then spoof tons of UDP traffic from DNSservers thatI believed you might use. Your firewall would then blocktraffic fromthem, and bingo, I've just shut down your ability to resolve things.How does the inline-type IDS differ then? Or are you under the impression that your spoofed traffic gets blocked both ways? Why shouldn't a system be able to block unsolicited inbound packets, but let traffic that initiated from the inside out through without blocking it? (Oh wait... that's a normal stateful firewall then, right?) My point is, you can have reactive systems. They just have to be implemented in a smart fashion so that silly "default attack scenarios" don't create the DoS of the older days reactive systems. Once you have a smart reactive system, it will behave like the inline IPS. Except that it is reactive (doesn't block first packet). But the advantage is that you can react from more than one traffic monitoring point. With inline devices you are limited to that one choke point. Reactive devices can be triggered by sensors from all over your network. That should be the main differentiator between those systems, not the intelligence (or lack of) behind it. Regards, Frank
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Alarm response strategies (infor) urko zurutuza (Jul 25)
- RE: Alarm response strategies Rob Shein (Jul 26)
- Re: Alarm response strategies David W. Goodrum (Jul 27)
- Re: Alarm response strategies Tony Carter (Jul 27)
- RE: Alarm response strategies Frank Knobbe (Jul 27)
- RE: Alarm response strategies Rob Shein (Jul 27)
- Re: Alarm response strategies David W. Goodrum (Jul 28)
- RE: Alarm response strategies Frank Knobbe (Jul 28)
- RE: Alarm response strategies Rob Shein (Jul 26)
- <Possible follow-ups>
- RE: Alarm response strategies Joshua Berry (Jul 27)
- RE: Alarm response strategies Richard Bejtlich (Jul 28)
- RE: Alarm response strategies Joshua Berry (Jul 28)