Re: NADS ( was RE: IPS comparison)

[Iván Arce <ivan.arce () coresecurity com>]

Joseph Hamm wrote:
> Hassan,
>
> You make some good points, but I'd like the opportunity to clear up a
> few things about my NADS:
>
>
> > IMHO comparing pure play behavior detection to IPS is like comparing
>
> apples and oranges. 

Not necesarrily. Technology-wise it is indeed, but to the end users
(your and other vendor's  customers I presume) it may be quite relevant.
I assume that they want to solve their security problems and they are
not necesarilly stuck on any given technology for doing so.

> I couldn't agree more.  I spoke up because Stefano brought up the topic
> of anomaly detection. One thing that does bother me is how IPS has been
> painted as a "magic bullet" by vendors (and even the press).  IPS works
> great at the perimeter or other "choke points" in the network.  However,
> in speaking with customers, it is too costly to deploy in a scenario
> that can give you adequate network visibility or proper blocking
> capabilities inside your organization.  It should remain a perimeter
> solution, placed in a strategic location to protect key assets (example
> would be a group of critical servers), or perhaps one day merged into
> your network infrastructure (perhaps the future as painted by
> Tippingpoint and 3com).

This completly rules out host-based IPS or any other endpoint security
mechanism, which IMHO is sub-optimal for any serious security
infrastruture innitiative.

Regarding deployment of network devices that implement security controls
(firewalls, NIDS, NIPS, content-filters/proxies,etc) my thinking is that
they can't see want a network device can't see: What is going on at the
OS/application level on the servers and workstations.
Hence any security solution based solely on network appliances is
partial and incomplete.

> exported from your routers/switches).  You essential turn all of your
> routers and switches into security probes so you don't have to deploy
> (purchase and maintain) a box everywhere you want coverage.   Many folks

Although this may sound compelling from a budgetary point of view it is
also dangerous. That does not mean you should not do it, only that one
should understand the risks of such strategy, its weaknesses and benefits.

What you are doing, basically, is to turn some asset that was not
designed to be a security device into a key component of your security
infrastructure. This is reminecest of the long gone but never quite dead
VLAN-as--an-effective-security-compartmentalization and
NAT-as--an-effective-security-mechanism discussions that are
periodically reborn.

> On the other hand, NADS can have full network visibility, understand
> what is normal activity for hosts, alarm the administrator, and even

That is a far reaching statement that I thought no one would make these
days. I guess at this stage the post starts to diverge towards a pitch
for NADS as the true "magic bullet" that you mention being attributed to
IPS these days.

I posit here that a NADS (or NIPS) can not *understand* what is going on
at the host level, what is running or what and why exactly it is
generating the network traffic the NADS picks up. It can observe the
network traffic of hosts as if they were little more than black boxes
and apply those observations to a given -predefined- model (in the case
of pure NADS), to a set of  predefined triggers (in the case of pure
signature-matching NIDS) or a combination of both (likely most of
current commercial solutions)

> ...
> A great example of this would be saving the administrator the time of
> sorting through 1000 RPC buffer overflow alarms generated by his IDS
> because his servers were not vulnerable and experienced no behavioral
> change after the attack.  However, the administrator would be presented
> the one RPC buffer overflow that correlated to a host that went outside

There are other, simpler and cheaper ways to do this that do not imply
deploying NADS or NIDS. I will not elaborate on them because it would
look like an ad for our own stuff :)

> of its normal behavior and started scanning other hosts, connected to a
> remote server on some random port, etc.

In your example this would be true in as much as the NADS can actually
see the compromised host generating traffic to other hosts in the
internal network and as far as that traffic is significantly different
from the "normal" traffic and/or the NADS perception of what is normal
does not change. A large number of attacks (and specially internal
attacks) can be easily obscured to prevent this.

To generalize further I would say that a NADS will not detect any attack
that does not differ significantly from what it perceives as normal (be
it learned or predefined behavior) and in particular it will be crippled
when coping with covert channels.

> considered somewhat like a signature.  For example, I don't have to have
> a baseline of a host to know that aggressive scanning on port 445 is
> bad, port 80 traffic that is not valid http is bad, etc.

Yes, but valid http traffic (I assume this to mean "well-formed" as you
can't tell what is really valid and what not if you dont know the
application-layer logic that generates the http traffic) is not
necesarilly good either. What about non-agressive scanning of port 445?

In any case, my point is that NADS as any other specific security
technology is faulty and can be fooled rather easily, only a
well-thought combination of existing technologies can provide effective
security. Such combination should be thought of as the necesasry to
complement individual technologies and cover each other's weaks spots at
an optimum cost for given level of risk that you are willing to accept.
I realize that this is a quite generic statement but I am willing to
elaborate on it if its of interest to the list or  out-of-band if its not.


-ivan

---
To strive, to seek, to find, and not to yield.
- Alfred, Lord Tennyson Ulysses,1842

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce () coresecurity com
www.coresecurity.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------