IDS mailing list archives
RE: Alarm response strategies
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 27 Jul 2004 13:38:51 -0500
On Mon, 2004-07-26 at 19:27, Rob Shein wrote:
And I'm not sure quite what your point was about the firewall...
Detected IP's don't have to be blocked both ways. You could configure your reactive IDS to only block inbound packets from that IP. That leaves you able to send packets out to that IP. This in fact mitigates your concern about spoofed DNS server becoming unreachable to you. In essence, this is how a stateful firewall behaves. You don't allow traffic in from an IP or to a service, but you can send traffic out to that IP or service. That's what I meant with it becoming a firewall. For example, someone attacks your web server. The reactive IDS can block that attacker in such a way that only inbound packets/sessions are blocked, and only to the web service port. You basically closed your firewall rules that allows the world to connect to the web server, but only for that attacker. No other changes are made and you can still ping the attacker, browse his web site, send him email, etc.
As for "smart reactive system," define "smart." Obviously things can be set up incorrectly, but what's the other end of the spectrum?
See above. Reactive systems are not about closing all communication on all ports in both directions with a blanket rule. In all discussions I have seen about reactive IDS's, it is assumed that the IDS blocks everything completely. That's stupid. Why does it have to be that way? It's certainly not a standard. Who made the assumption it plays out like this? No, the "smart" means that the reactive system is intelligent or flexible so that the IDS can interact in different ways. A smart block could only remove access to the web server port. An attack might still be able to ping the host, see the SMTP banner, and be less inclined to think that he got blocked by a reactive system (he'd probably think he crashed the web service). There is a lot of flexibility that "the public" has not experienced yet because most reactive IDS systems do not offer this flexibility (although the potential is there). That is probably due to the fact that most development shops invest more time in researching inline IPS technologies than non-inline technologies. There are, however, a few shops that realize the potential. Imagine... being able to detect an attacker on multiple monitoring points, perhaps even every network segment, and then shun that person on every firewall, choke point, and soon switch/hub/router on your network. That's an impressive capability, having all network components reacting to an intrusion, squashing worms and viruses and hackers alike. And it's reactive. So it won't be your "firewall" (or IPS) that reacts to bad traffic, but your "network". The whole infrastructure will react. Sounds futuristic? Not really. As mentioned by someone recently (and I thought on this list), Enterasys is working on such a system where Dragon sensors can talk to their switches. I'm not sure if Cisco is working on such a thing too. There are also plans for Snort/Snortsam to interact with switches and shut down ports when bad traffic is detected. So, please don't dismiss reactive systems too quickly. Don't be fooled by some implementation mistakes of yesterdays block-scripts. and don't lump all reactive IDS's in the same category. There is some exciting stuff happening, network-wide, that will soon become mainstream. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Alarm response strategies (infor) urko zurutuza (Jul 25)
- RE: Alarm response strategies Rob Shein (Jul 26)
- Re: Alarm response strategies David W. Goodrum (Jul 27)
- Re: Alarm response strategies Tony Carter (Jul 27)
- RE: Alarm response strategies Frank Knobbe (Jul 27)
- RE: Alarm response strategies Rob Shein (Jul 27)
- Re: Alarm response strategies David W. Goodrum (Jul 28)
- RE: Alarm response strategies Frank Knobbe (Jul 28)
- RE: Alarm response strategies Rob Shein (Jul 26)
- <Possible follow-ups>
- RE: Alarm response strategies Joshua Berry (Jul 27)
- RE: Alarm response strategies Richard Bejtlich (Jul 28)
- RE: Alarm response strategies Joshua Berry (Jul 28)