IDS mailing list archives
Re: How to choose an IDS/FW MSS provider
From: "David W. Goodrum" <dgoodrum () nfr com>
Date: Sat, 12 Mar 2005 10:11:44 -0500
But, you're missing the point. What I'm saying is that the two technologies are merging where appropriate, and that it is a GOOD thing, even for large enterprises, not just small ones. The type of inspection that IDS devices do is totally required to STOP malicious traffic. IDS must be inline doing blocking to prevent the things that firewalls can't prevent... even in an enterprise network. Plus, just because your IDS is present in the form of IPS, doesn't mean that it's not still doing auditing also. It's not like it's all or nothing technology... you can pick and choose the types of events you want to prevent, and which ones are just audit, and good reporting let's the admin differentiate.
Plus, we see more and more people looking to deploy firewalls / IPS / Access Control devices internally. The reasons are many fold:
First, people want to be able to create quarantine zones internally (to contain an outbreak of a virus or worm internally). Traditional firewalls alone can't do this... it's got to be something doing Layer 7 inspection with IDS like detection. Traditional IDS can't do this either. Only when you combine the two philosophies can this be accomplished.
Second, people want the type of insight into the internal networks that IDS's have traditionally given them.
Third, the term "Intrusion" in "Intrusion Detection / Prevention Systems" has turned into a misnomer. For years people have looked at their IDS devices and asked it to do more. It's more like Network Security Policy Enforcement now. For example, when NFR first came out with their OS Fingerprinting years ago, we did it so that we could accurately re-assembly fragmented attacks. We did it to do Intrusion Detection better. But, what people really liked about it was that they could use that information to tune better (i.e. don't alert me on Windows attacks against Unix boxes), and later people began to realize that they could use this to detect when people were violating OS policies on their internal network. i.e. "alert me when you see Windows 98 OS's on my internal segments". This wasn't Intrusion Detection, this was OS Policy Enforcement. Then came Application Fingerprinting... originally, it was done to make tuning better (just like OS Fingerprinting in part), i.e. don't alert on IIS attacks against Apache servers. But, now it has turned into, "enforce policy on my network with regard to application servers". If it's just an IDS, it can't actually prevent people from accidentally running IIS/5.1 servers with the default XP install. It has to be inline, preventing to do that kind of policy enforcement. IDS isn't dead, but it isn't simply IDS anymore either. IDS is a great audit tool, but when you combine that technology with blocking technologies into one device, you get a brand new technology that does more than both put together. Synergy DOES exist when you combine the two, especially when you realize that IDS is no longer just "Intrusion" detection.
-dave Richard Bejtlich wrote:
On Fri, 11 Mar 2005 10:14:23 -0500, David W. Goodrum <dgoodrum () nfr com> wrote:Many IDS vendors are integrating Firewalls into their product, just like Firewall vendors are trying to catch up on the Layer 7 analysis. Bothtypes of technologies are coming tgether to some degree.I understand that market pressures and misguided research organizations are forcing access control and audit functions to converge. This is a shame. I wrote an article called "Considering Convergence?" that recommends keeping access control and audit separate. [0] Smaller organizations lacking the resources to implement defense in depth are better off buying a single "do-it-all" appliance, if the alternative is implementing little or no security. Larger organizations with the resources to field multiple technologies, follow coordinated policies, and train security staff will be more secure with distinct firewalls and intrusion detection systems.
What I'm getting at is that Defense in Depth still applies, even though these two technologies seem to be coming together rather quickly.I agree. Any device making an access control decision is a firewall. This includes router ACLs, layer 3-4 "firewalls," and "IPSs." Responsibility for network audit should remain with the IDS.Ross Anderson's exceptional book 'Security Engineering' recommends avoiding "convergence" when he talks about bookkeeping and fraud: "With functional separation of duties, two or more different staff members act on a transaction at different points in its path. The classic example is corporate purchasing. A manager makes a purchase decision and tells the purchasing department; a clerk there writes a purchase order; the store clerk records the arrival of goods; and invoice arrives at accounts; the accounts clerk correlates it with the purchase order and the store receipt, and cuts a check; the accounts manager signs the check. The manager now gets a debit on her monthly statement for that internal account; her boss reviews the accounts to make sure the division's profit targets are likely to be met; the internal audit department can descend at any time to audit the division's books; and when the external auditors come in once a year, they will check the books of a randomly selected sample of departments." [1] The current market path is collapsing all of these decisions and responsibilities into a single point; in business, the result is massive undetected fraud. An attack bypassing a "converged appliance" will be unfiltered, undetected, and destructive. Incident response will be the only remaining strategy, and the responders will have little or no evidence to analyze and act upon. Sincerely, Richard [0] http://www.taosecurity.com/publications.html [1] 'Security Engineering' by Ross Anderson (New York, NY: Wiley, 2001), p. 190. http://www.cl.cam.ac.uk/users/rja14/
-- David W. Goodrum Senior Systems Engineer NFR Security 703.731.3765 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Re: How to choose an IDS/FW MSS provider, (continued)
- Re: How to choose an IDS/FW MSS provider buineach (Mar 10)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- Re: How to choose an IDS/FW MSS provider buineach (Mar 10)
- Re: How to choose an IDS/FW MSS provider Kevin (Mar 11)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- Re: How to choose an IDS/FW MSS provider buineach (Mar 10)
- RE: How to choose an IDS/FW MSS provider KoƧ.net (Mar 09)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- RE: How to choose an IDS/FW MSS provider Brady, Rick (Mar 10)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 11)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Adam Powers (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Jason (Mar 19)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 19)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 23)