Re: How to choose an IDS/FW MSS provider

[Mark Teicher <mht3 () earthlink net>]

-----Original Message-----
From: Martin Roesch <roesch () sourcefire com>
Sent: Mar 15, 2005 10:00 AM
To: "David W. Goodrum" <dgoodrum () nfr com>
Cc: focus-ids () securityfocus com
Subject: Re: How to choose an IDS/FW MSS provider

A few comments:

1) Open "signatures" are about trust, if people have no idea why or how  
and IDS is doing what it's doing then when the false positives  
inevitably pop up the user has absolutely no clue what has happened.  I  
find that to be one of the most annoying things about using other  
people's IDS technologies, their opaqueness drives a constant nagging  
doubt that the system is configured and working properly.  IMO that's  
one of the reasons that Snort is as popular as it is, people know how  
and why it does what it does (for better or worse) and the transparency  
allows them a certain level of comfort that they're in control of and  
can trust the system instead of the other way around.

> > I tend to disagree on this, since there are more than ways to detect an exploit or how to discuss how and why things 
> > work when they do.  The transparency issue is mute if the product is well constructed and doesn't shake apart when 
> > folded, binded or crumpled.  There is a certain level of comfort that if something doesn't work right, one can work 
> > it on themselves, but if can compare this if I pay $xxx,xxx for fancy and very fast car. If it breaks under normal 
> > operating circumstances, Otto the mechanic better fix it for free.  Same issue can be applied to the openness, if it 
> > breaks, it might not always get fixed right away since Otto isn't specifically assigned to it, or other wanna be 
> > Otto's attempt to know how to fix it.  With the commercial application, the fix may not be readily available or 
> > until the number of days it is supposed to be released by the VRT :)

2) If a "signature" is written properly then evading it will be  
non-trivial.  This all falls into the "writing the signature for the  
vulnerability instead of the exploit" thing that we argue about around  
here from time to time.  I don't think knowing what someone is looking  
for does a whole lot if there's no way to avoid tripping it in the  
course of an exploit.

> > Hopefully some of the more out-dated signatures have been phased out or replaced with something stronger, faster, 
> > etc.


3) Snort has had 2 remote exploits (buffer overflow and integer  
overflow leading to heap overflow on certain platforms) and a 2-3 DoSes  
due to protocol handler mistakes in 6.5 years.  ISS has had at least  
that many over the years and a resultant worm to boot.  Did being  
closed really help them all that much?  I think that developing in the  
open forces us to be a little more careful than we might otherwise be,  
but I think that over time being open leads to a more secure codebase  
due to the exposure to the "elements" that it entails.


> > I am defending ISS or other commercial entities that keep tight lids on their secret sauce or formula for Original 
> > versus New or fingering point on why things were done a certain way, just look at Sendmail or syslog, and the other 
> > freely available tools that have been in the Unix CVS for a while now.  The community just knows who to single out 
> > if something really bad or coded improperly. 

> > I wish I have $0.02..  :)
Anyway, just my $0.02, hope it was interesting.

      -Marty

On Mar 12, 2005, at 8:54 AM, David W. Goodrum wrote:

> I think it's interesting how this is an unwinnable argument for any  
> vendor.  At NFR our signatures are openly readable by our customers,  
> but we've heard the exact opposite argument of what you are presenting  
> here:  "A potential hacker can read how the signatures work, and use  
> that information to try to evade the IDS".  So, if we appeased them,  
> we'd close our signature base, and then we'd be hearing it from the  
> other side of the house.  This is a no-win situation for the vendor.   
> We've tried to appease both sides by not having our sigs "publicly"  
> available, but all a really determined hacker has to do is buy our  
> product to read the signatures.
> So, before you ask ISS to release their codebase for their signature  
> set, you might want to think about what the full consequences of that  
> would be.  Snort has had 2 or 3 remote exploits.  The only reason this  
> was possible is because their entire product is totally open to the  
> world.  I doubt ISS wants to open themselves up to that type of  
> publicity.  :)
>
> -dave
>
> Jeff Boggie wrote:
>
> > No, the lack of visibility into ISS signature content is a major bone  
> > of
> > contention in my shop.
> >
> > -----Original Message-----
> > From: Brady, Rick [mailto:Rick.Brady () LibertyMutual com] Sent:  
> > Wednesday, March 09, 2005 5:08 PM
> > To: Melih Kirkgöz (Koç.net); Stephane; focus-ids () securityfocus com
> > Subject: RE: How to choose an IDS/FW MSS provider
> >
> >
> > Melih,
> > I guess you must be special to ISS, from my experience the support  
> > has been
> > sub-par. Also do you like the idea that ISS IDS signatures are not  
> > known to
> > the customer and only ISS ?
> > Rick Brady
> > Liberty Mutual Group
> > I/S TSSS Engineering Network Access Control
> > mailto:rick.brady () libertymutual com
> > (603) 245-4214   8-435-4214sdn
> > -----Original Message-----
> > From: Melih Kirkgöz (Koç.net) [mailto:melihk () koc net] Sent: Tuesday,  
> > March 08, 2005 2:22 AM
> > To: Stephane; focus-ids () securityfocus com
> > Subject: RE: How to choose an IDS/FW MSS provider
> > Importance: High
> >
> > Hello Stephane,
> >
> > We have been using ISS since last two years.(50 Server Sensor,15  
> > Network
> > Sensor,1 Proventia G 100 IPS),managed by SiteProtector. We tested
> > Netscreen,ISS,Radware,NAI Intrushield and Checkpoint during our  
> > evaluation
> > period for intrusion detection/prevention systems. Strong level of  
> > expertise
> > and good technical support was one of the big reasons choosing ISS.
> >
> > -----Original Message-----
> > From: Stephane [mailto:stephane.d () ecologie net] Sent: Monday, March  
> > 07, 2005 12:42 PM
> > To: focus-ids () securityfocus com
> > Subject: How to choose an IDS/FW MSS provider
> >
> > Dear All,
> >
> > How do I choose an IDS/IPS provider if I need a strong level of  
> > expertise
> > 24x7x365 and a worldwide representaion? I need it on Netscreen, PIX,
> > CheckPoint and ISS Realsecure and Proventia.
> >
> > Thank you,
> >
> > S.
> >
> > ---------------------------------------------------------------------- 
> > ----
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks  
> > from CORE
> > IMPACT. Go to
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > ---------------------------------------------------------------------- 
> > ----  
> > ______________________________________________________________________ 
> > ______
> > _________________________________________________________________ Bu  
> > e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir.  
> > Eger
> > bu e-posta mesaji size yanlislikla ulasmissa,  icerigini hic bir  
> > sekilde
> > kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta
> > mesajini kullaniciya hemen geri gonderiniz  ve  tum kopyalarini mesaj
> > kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, herhangi bir  
> > amac
> > icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz.  Bu  
> > e-posta
> > mesaji viruslere karsi anti-virus sistemleri tarafindan taranmistir.  
> > Ancak
> > yollayici, bu e-posta mesajinin - virus koruma sistemleri ile kontrol
> > ediliyor olsa bile - virus icermedigini garanti etmez ve meydana  
> > gelebilecek
> > zararlardan dogacak hicbir sorumlulugu kabul etmez.  This message is  
> > intended solely for the use of the individual or entity to
> > whom it is addressed , and may contain confidential  information. If  
> > you are
> > not the intended recipient of this message or you receive this mail in
> > error, you should refrain from making any use of the contents and from
> > opening any attachment. In that case, please notify the sender  
> > immediately
> > and return the message to the sender, then, delete and destroy all  
> > copies.
> > This e-mail message, can not be copied, published or sold for any  
> > reason.
> > This e-mail message has been swept by anti-virus systems for the  
> > presence of
> > computer viruses. In doing so, however,  sender  cannot warrant that  
> > virus
> > or other forms of data corruption may not be present and do not take  
> > any
> > responsibility in any occurrence.  
> > ______________________________________________________________________ 
> > ______
> > _________________________________________________________________
> > ---------------------------------------------------------------------- 
> > ----
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks  
> > from CORE IMPACT.
> > Go to  
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to  
> > learn more.
> > ---------------------------------------------------------------------- 
> > ----
> >
> > ---------------------------------------------------------------------- 
> > ----
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks  
> > from CORE IMPACT.
> > Go to  
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to  
> > learn more.
> > ---------------------------------------------------------------------- 
> > ----
> >
> >
> > ---------------------------------------------------------------------- 
> > ----
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks  
> > from CORE IMPACT.
> > Go to  
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to  
> > learn more.
> > ---------------------------------------------------------------------- 
> > ----
>
> -- 
> David W. Goodrum
> Senior Systems Engineer
> NFR Security
> 703.731.3765
>
>
> ----------------------------------------------------------------------- 
> ---
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from  
> CORE IMPACT.
> Go to  
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to  
> learn more.
> ----------------------------------------------------------------------- 
> ---
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend. - http://www.sourcefire.com
Snort: Open Source Intrusion Detection and Prevention -  
http://www.snort.org


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------





--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------