IDS mailing list archives
RE: IDS evaluations procedures
From: "Nathan Davidson" <ndavidso () globix com>
Date: Fri, 22 Jul 2005 06:42:48 -0400
I agree that your average client still leans more towards business availability than security. But a number of companies (esp. those who have high value transaction rates or deal in a B2B or subscription model) for example a payment gateway provider or betting website are more interested in providing tight application security to their known user base than reaching the last 3% of users running on god knows what web browser. The reason I think online businesses will move towards deep layer 7 protection is because the threat of application penetration is becoming non-targeted. For example the looming threat of a SQL-Injection worm: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci9 96075,00.html If you take the evolution of DDoS over the last few years from SYN flooding to valid traffic flooding as an example, you could argue that worms will evolve from simple protocol/vulnerability abuse to complex application exploits. If you don't have technology in place to actively proxy, analyse and block traffic then you will be more likely to fall foul of such attacks. I don't believe that there is a technology available today that offers 100% Intrusion Prevention but we should at least try to actively block what appears to be abuse in the hope that we will thwart at least some of these attacks. If you take the example of an IPS that offers rate based mitigation (e.g. no more than 100 connections/minute for any source IP on the Internet) it is normally designed to offer protection against resource exhaustion attacks. It may however, block a sql-injection worm that is iteratively trying to guess the name of a table space. A more accurate way to stop this particular attack is to write a more secure website or IPS filter/application firewall for a single quote ('), but you get the idea. The more we define the behaviour of what is acceptable the more likely we will be protected from unknown future attacks. I know that a lot of people are sceptical about marketure claims for IPS and Application firewalls (aka active traffic processing?) and would prefer to stick with the less risky approach of IDS (active/passive monitoring?) but I think despite the hype there is significant merit in this technology. Well that's my two cents anyhow. -----Original Message----- From: Richard Bejtlich [mailto:taosecurity () gmail com] Sent: 21 July 2005 01:00 To: Nathan Davidson Cc: Mike Frantzen; focus-ids () securityfocus com Subject: Re: IDS evaluations procedures On 7/18/05, Nathan Davidson <ndavidso () globix com> wrote:
With the advent of ever more tightly policed application standards
(see IPS,application firewalls, layer 7 proxies, etc) I suspect that non-compliant browsers, tools and monitors will soon have to get their act together or be left behind.
Hi Nathan, That would be really helpful for security analysts, but it will not happen. Security is an afterthought or a "box to check" for most businesses. Anything that impedes profit will be turned off. This is part of the "surrender" that we security professionals delivered in the mid-1990s to meet "business realities." [1] In a world where prevention fails, often all we have left is monitoring and response. Sincerely, Richard http://www.taosecurity.com [1] http://www.derkeiler.com/Mailing-Lists/Firewall-Wizards/2005-06/0032.htm l ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Firewalls (was Re: IDS evaluations procedures), (continued)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 22)
- RE: Firewalls (was Re: IDS evaluations procedures) Mike Barkett (Jul 22)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 20)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)
- Re: IDS evaluations procedures Mike Frantzen (Jul 18)
- RE: IDS evaluations procedures Nathan Davidson (Jul 17)
- Re: IDS evaluations procedures Jason (Jul 18)
- RE: IDS evaluations procedures Frank Knobbe (Jul 22)
- RE: IDS evaluations procedures Nathan Davidson (Jul 20)
- Re: IDS evaluations procedures Richard Bejtlich (Jul 21)
- RE: IDS evaluations procedures Nathan Davidson (Jul 22)
- Re: IDS evaluations procedures Richard Bejtlich (Jul 22)