IDS mailing list archives
Re: Useful NADS
From: Adam Powers <apowers () lancope com>
Date: Thu, 01 Sep 2005 13:18:42 -0400
One final post on this subject... Regarding NADS vs. IDS/IPS. What are the real competitive differentiators? 1. Cost effectiveness. Anywhere you have a Cisco router, you have an "observation point" that can feed the NADS technology. This means remote sites, core and distribution areas, as well as perimeter uplinks to partners and the Internet itself. No hardware deployment required. No ping-power-pipe. No break/fix. 2. Speed and performance. NetFlow cares not about bandwidth, only about flows per second. I've seen StealthWatch boxes that were monitoring 7 gigabits per second worth of network traffic across 150,000+ IP nodes. 3. Ability to overcome asymmetric routing. Given the fact that flow-enabled NBAD technologies can collect from opposite ends of a large network campus, flows that enter and leave at different areas of the network are reassembled into a single stateful entry. Asym environments present significant challenges for TCP state machines included in most IDS/IPS pattern matching products. 4. Forensics capabilities. All flows are recorded regardless of good or bad designation. This provides a 24x7 account of who talked to who, how much they talked, and what kind of communication was involved. Vastly superior to the best firewall logs. 5. Ability to see everywhere at once. Short of heavy RSPAN technology, IDS/IPS technologies have an extremely myopic view of the network. Flow-enabled NBAD technology can actually watch as a worm or other network event propagates from one site to the next to the next, putting the whole event together into a single view for the analyst and analysis engine. 6. Network awareness. StealthWatch offers "closest router determination" technology that actually tells the operator and the underlying mitigation infrastructure what router is closest to the host in question. This allows for laser sharp installation of Null0 routes, ACLs, and port disablement. 7. There are more but I'll stop here in the interest of your (and my) time. ** Note that I've left out zero-day and that marketing mumbo jumbo. I think this topic has been well covered in this forum and via marketing materials from NADS vendors. -AP On 8/31/05 11:52 PM, "Adam Powers" <apowers () lancope com> wrote:
Quick observation: Placing detection capabilities aside, one of the core capabilities flow-based anomaly detection system provides is network insight. They tend to specialize in slicing and dicing information about how hosts are behaving and what they are doing. The ability to see many places in the network at once (via NetFlow or sFlow) enables a unique observational quality not found in other security technologies. The value of the contextual information provided by a NADS has been overlooked by most everyone participating in this thread. You have to see it, work with it, and deploy it to truly appreciate the power. More inline... On 8/31/05 5:45 PM, "Andrew Plato" <andrew.plato () anitian com> wrote:Honestly, I have never found "network anomaly detection (NADS)" to be a tremendously valuable technology for most organizations. It is definitely not a strong zero-day detector, although with the stars aligned I am sure it could be.What NADS technologies have you deployed and when? A statement like this implies that you've worked with all the NADS technologies available (and recently at that given the vast improvements made in the last 12 months by most). If your answer is "I've seen Arbor (or Mazu or whatever) in action" then my answer is "Arbor and Mazu are no StealthWatch".If networks were built and managed to exact specifications, I could understand how network anomaly detection has merit. But in the hundreds of networks I have seen, very few of them are very clean. Most of them are filthy with a constant onslaught of "anomalies.' You give the example of a DNS server suddenly firing up and sending out requests. For every potential bad thing that could indicate, there are at least as many normal, acceptable and totally legitimate reasons such an event would happen. Thus when a NADS fires off an alert about this (or blocks it), there are just as many reasons to ignore it as there are to pay attention to it. As such, the IT admins are likely going to turn off that detection as soon as they get a dozen or so false positives. Whatever benefit that feature had, is then irrelevant.Not sure you read my post carefully. The example describes a scenario in which the NADS *would not* alarm on the DNS traffic burst. StealthWatch overcomes the "deluge of events" problem using a series of indices designed to rate various types of activities based on a point system that ranges from 0 to unbounded. As "strange" flow behaviors are recognized, points are added to the various indices. The NADS administrator is presented with a list of hosts ordered from greatest to least based on the current value of the index. Current supported indices include: Concern Index: Designed to rate attack traffic such as scanning, fragmentation anomalies, flooding of various types, aborted connections, etc. The more "bad stuff" seen for a given host the faster and higher the Concern Index climbs. In the case of the DNS example, the ICMP PORT_UNREACHABLES would *not* cause Concern Index points to accumulate due to the fact the StealthWatch engine knows to expect PORT_UNREACHABLES clients back to the DNS server. File Sharing Index: Measures behaviors associated with PTP overlays and general file sharing among Internet hosts and internal corporate resources. Target Index: Similar to the Concern Index with the exception that points are assigned to the victim vs. the attacker. Useful for prioritizing those hosts that seem to be under attack. Random source IPs performing a DDoS against a single victim will cause the victim's Target Index to climb. Application Verification Index: Based on inspection of port number vs. the actual contents of the payload seen. Running SSH over port 80 will cause application verification to fail, resulting in an increase in the Application Verification Index for the host. An index-based approach allows for prioritization of those behaviors that are most important to those that are least. The admin doesn't need to turn off the alarm, just raise or lower the index threshold based on their organization's tolerance for the behavior observed.One thing I have learned in my travels installing IPS/IDS for 6+ years now is that 95% of the admins out there pay very little attention to the deluge of data that comes from IPS/IDS technologies. Its just too much data. Its too hard to separate the wheat from the chaff. As such, most adopt the attitude of "stop bad, allow good, log the rest." And therefore, tons of "might be" events are just going to get ignored.This is the focus of an index-based approach to separating "wheat from chaff". Instead of raising hundreds of micro-events, an index is used to roll up many correlated anomaly events into a single easy-to-use / easy-to-diagnose number.Moreover, baselining these networks is also rarely useful. Baselining only works if your network actually stays within its baseline fairly regularly. Of the networks I've seen, most would routinely break their own baselines. Moreover, its very easy for "bad stuff" to stay within the baseline, especially if the baseline has been tweaked and tuned to the point of irrelevance in order to stop the deluge of events.Baselining is but one aspect of a flow-based anomaly detection system. Some areas of a network benefit greatly from baselining, other don't. Can't speak for the other guys, but StealthWatch doesn't need a baseline to operate.So, while there may be a place for NADS, it would have to be intermixed with traditional IPS signature matching to be really effective and useful. And if the biggest plus of your product is just NADS, then the IPS is probably just tacked on to be competitive in the market. As such, organizations would be better off getting an a top of the line IPS, not a NADS that happens to have an IPS thrown in.IPSs simply can't be deployed everywhere. How many organizations have you seen in which an IPS is placed at every location in which a Cisco router exists? NADS deployed with NetFlow gives the IT admin the ability to virtually inspect traffic at MANY locations throughout the network at once without the need for expensive inline hardware. NADS is completely complementary to existing IPS technologies. They operate in very different ways and solve a different kind of problem. -AP ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Useful NADS Andrew Plato (Sep 01)
- Re: Useful NADS Adam Powers (Sep 01)
- Re: Useful NADS Adam Powers (Sep 01)
- <Possible follow-ups>
- RE: Useful NADS Andrew Plato (Sep 01)
- Re: Useful NADS Adam Powers (Sep 01)