RE: Alarm response strategies

[Frank Knobbe <frank () knobbe us>]

On Mon, 2004-07-26 at 19:27, Rob Shein wrote:
>  And I'm not sure quite what your point was about the
> firewall...

Detected IP's don't have to be blocked both ways. You could configure
your reactive IDS to only block inbound packets from that IP. That
leaves you able to send packets out to that IP. This in fact mitigates
your concern about spoofed DNS server becoming unreachable to you. In
essence, this is how a stateful firewall behaves. You don't allow
traffic in from an IP or to a service, but you can send traffic out to
that IP or service. That's what I meant with it becoming a firewall.

For example, someone attacks your web server. The reactive IDS can block
that attacker in such a way that only inbound packets/sessions are
blocked, and only to the web service port. You basically closed your
firewall rules that allows the world to connect to the web server, but
only for that attacker. No other changes are made and you can still ping
the attacker, browse his web site, send him email, etc.

> As for "smart reactive system," define "smart."  Obviously things can be set
> up incorrectly, but what's the other end of the spectrum?  

See above. Reactive systems are not about closing all communication on
all ports in both directions with a blanket rule. In all discussions I
have seen about reactive IDS's, it is assumed that the IDS blocks
everything completely. That's stupid. Why does it have to be that way?
It's certainly not a standard. Who made the assumption it plays out like
this?

No, the "smart" means that the reactive system is intelligent or
flexible so that the IDS can interact in different ways. A smart block
could only remove access to the web server port. An attack might still
be able to ping the host, see the SMTP banner, and be less inclined to
think that he got blocked by a reactive system (he'd probably think he
crashed the web service).

There is a lot of flexibility that "the public" has not experienced yet
because most reactive IDS systems do not offer this flexibility
(although the potential is there). That is probably due to the fact that
most development shops invest more time in researching inline IPS
technologies than non-inline technologies. There are, however, a few
shops that realize the potential. Imagine... being able to detect an
attacker on multiple monitoring points, perhaps even every network
segment, and then shun that person on every firewall, choke point, and
soon switch/hub/router on your network. That's an impressive capability,
having all network components reacting to an intrusion, squashing worms
and viruses and hackers alike. And it's reactive.

So it won't be your "firewall" (or IPS) that reacts to bad traffic, but
your "network". The whole infrastructure will react. Sounds futuristic?
Not really. As mentioned by someone recently (and I thought on this
list), Enterasys is working on such a system where Dragon sensors can
talk to their switches. I'm not sure if Cisco is working on such a thing
too. There are also plans for Snort/Snortsam to interact with switches
and shut down ports when bad traffic is detected.

So, please don't dismiss reactive systems too quickly. Don't be fooled
by some implementation mistakes of yesterdays block-scripts. and don't
lump all reactive IDS's in the same category. There is some exciting
stuff happening, network-wide, that will soon become mainstream.

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part