RE: IDS evaluations procedures

["Nathan Davidson" <ndavidso () globix com>]

I agree that your average client still leans more towards business
availability than security. But a number of companies (esp. those who
have  high value transaction rates or deal in a B2B or subscription
model) for example a payment gateway provider or betting website are
more interested in providing tight application security to their known
user base than reaching the last 3% of users running on god knows what
web browser. 

The reason I think online businesses will move towards deep layer 7
protection is because the threat of application penetration is becoming
non-targeted. For example the looming threat of a SQL-Injection worm:

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci9
96075,00.html


If you take the evolution of DDoS over the last few years from SYN
flooding to valid traffic flooding as an example, you could argue that
worms will evolve from simple protocol/vulnerability abuse to complex
application exploits. 

If you don't have technology in place to actively proxy, analyse and
block traffic then you will be more likely to fall foul of such attacks.

I don't believe that there is a technology available today that offers
100% Intrusion Prevention but we should at least try to actively block
what appears to be abuse in the hope that we will thwart at least some
of these attacks. 

If you take the example of an IPS that offers rate based mitigation
(e.g. no more than 100 connections/minute for any source IP on the
Internet) it is normally designed to offer protection against resource
exhaustion attacks. It may however, block a sql-injection worm that is
iteratively trying to guess the name of a table space. A more accurate
way to stop this particular attack is to write a more secure website or
IPS filter/application firewall for a single quote ('), but you get the
idea. The more we define the behaviour of what is acceptable the more
likely we will be protected from unknown future attacks.

I know that a lot of people are sceptical about marketure claims for IPS
and Application firewalls (aka active traffic processing?) and would
prefer to stick with the less risky approach of IDS (active/passive
monitoring?) but I think despite the hype there is significant merit in
this technology.

Well that's my two cents anyhow.








-----Original Message-----
From: Richard Bejtlich [mailto:taosecurity () gmail com] 
Sent: 21 July 2005 01:00
To: Nathan Davidson
Cc: Mike Frantzen; focus-ids () securityfocus com
Subject: Re: IDS evaluations procedures

On 7/18/05, Nathan Davidson <ndavidso () globix com> wrote:

> With the advent of ever more tightly policed application standards
(see IPS,application firewalls, layer 7 proxies, etc) I suspect that
non-compliant browsers, tools and monitors will soon have to get their
act together or be left behind.
>

Hi Nathan,

That would be really helpful for security analysts, but it will not
happen.  Security is an afterthought or a "box to check" for most
businesses.  Anything that impedes profit will be turned off.  This is
part of the "surrender" that we security professionals delivered in
the mid-1990s to meet "business realities." [1]  In a world where
prevention fails, often all we have left is monitoring and response.

Sincerely,

Richard
http://www.taosecurity.com

[1]
http://www.derkeiler.com/Mailing-Lists/Firewall-Wizards/2005-06/0032.htm
l


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------