Re: Useful NADS

[Adam Powers <apowers () lancope com>]

One final post on this subject...

Regarding NADS vs. IDS/IPS. What are the real competitive differentiators?

1. Cost effectiveness. Anywhere you have a Cisco router, you have an
"observation point" that can feed the NADS technology. This means remote
sites, core and distribution areas, as well as perimeter uplinks to partners
and the Internet itself. No hardware deployment required. No
ping-power-pipe. No break/fix.

2. Speed and performance. NetFlow cares not about bandwidth, only about
flows per second. I've seen StealthWatch boxes that were monitoring 7
gigabits per second worth of network traffic across 150,000+ IP nodes.

3. Ability to overcome asymmetric routing. Given the fact that flow-enabled
NBAD technologies can collect from opposite ends of a large network campus,
flows that enter and leave at different areas of the network are reassembled
into a single stateful entry. Asym environments present significant
challenges for TCP state machines included in most IDS/IPS pattern matching
products.

4. Forensics capabilities. All flows are recorded regardless of good or bad
designation. This provides a 24x7 account of who talked to who, how much
they talked, and what kind of communication was involved. Vastly superior to
the best firewall logs.

5. Ability to see everywhere at once. Short of heavy RSPAN technology,
IDS/IPS technologies have an extremely myopic view of the network.
Flow-enabled NBAD technology can actually watch as a worm or other network
event propagates from one site to the next to the next, putting the whole
event together into a single view for the analyst and analysis engine.

6. Network awareness. StealthWatch offers "closest router determination"
technology that actually tells the operator and the underlying mitigation
infrastructure what router is closest to the host in question. This allows
for laser sharp installation of Null0 routes, ACLs, and port disablement.

7. There are more but I'll stop here in the interest of your (and my) time.

** Note that I've left out zero-day and that marketing mumbo jumbo. I think
this topic has been well covered in this forum and via marketing materials
from NADS vendors. 

-AP

On 8/31/05 11:52 PM, "Adam Powers" <apowers () lancope com> wrote:

> Quick observation: Placing detection capabilities aside, one of the core
> capabilities flow-based anomaly detection system provides is network
> insight. They tend to specialize in slicing and dicing information about how
> hosts are behaving and what they are doing. The ability to see many places
> in the network at once (via NetFlow or sFlow) enables a unique observational
> quality not found in other security technologies.
>
> The value of the contextual information provided by a NADS has been
> overlooked by most everyone participating in this thread. You have to see
> it, work with it, and deploy it to truly appreciate the power.
>
> More inline...
>
>
> On 8/31/05 5:45 PM, "Andrew Plato" <andrew.plato () anitian com> wrote:
>
> > Honestly, I have never found "network anomaly detection (NADS)" to be a
> > tremendously valuable technology for most organizations. It is
> > definitely not a strong zero-day detector, although with the stars
> > aligned I am sure it could be.
>
> What NADS technologies have you deployed and when? A statement like this
> implies that you've worked with all the NADS technologies available (and
> recently at that given the vast improvements made in the last 12 months by
> most). If your answer is "I've seen Arbor (or Mazu or whatever) in action"
> then my answer is "Arbor and Mazu are no StealthWatch".
>
> > If networks were built and managed to exact specifications, I could
> > understand how network anomaly detection has merit. But in the hundreds
> > of networks I have seen, very few of them are very clean. Most of them
> > are filthy with a constant onslaught of "anomalies.'
> >
> > You give the example of a DNS server suddenly firing up and sending out
> > requests. For every potential bad thing that could indicate, there are
> > at least as many normal, acceptable and totally legitimate reasons such
> > an event would happen. Thus when a NADS fires off an alert about this
> > (or blocks it), there are just as many reasons to ignore it as there are
> > to pay attention to it. As such, the IT admins are likely going to turn
> > off that detection as soon as they get a dozen or so false positives.
> > Whatever benefit that feature had, is then irrelevant.
>
> Not sure you read my post carefully. The example describes a scenario in
> which the NADS *would not* alarm on the DNS traffic burst.
>
> StealthWatch overcomes the "deluge of events" problem using a series of
> indices designed to rate various types of activities based on a point system
> that ranges from 0 to unbounded. As "strange" flow behaviors are recognized,
> points are added to the various indices.
>
> The NADS administrator is presented with a list of hosts ordered from
> greatest to least based on the current value of the index.
>
> Current supported indices include:
>
> Concern Index: Designed to rate attack traffic such as scanning,
> fragmentation anomalies, flooding of various types, aborted connections,
> etc. The more "bad stuff" seen for a given host the faster and higher the
> Concern Index climbs. In the case of the DNS example, the ICMP
> PORT_UNREACHABLES would *not* cause Concern Index points to accumulate due
> to the fact the StealthWatch engine knows to expect PORT_UNREACHABLES
> clients back to the DNS server.
>
> File Sharing Index: Measures behaviors associated with PTP overlays and
> general file sharing among Internet hosts and internal corporate resources.
>
> Target Index: Similar to the Concern Index with the exception that points
> are assigned to the victim vs. the attacker. Useful for prioritizing those
> hosts that seem to be under attack. Random source IPs performing a DDoS
> against a single victim will cause the victim's Target Index to climb.
>
> Application Verification Index: Based on inspection of port number vs. the
> actual contents of the payload seen. Running SSH over port 80 will cause
> application verification to fail, resulting in an increase in the
> Application Verification Index for the host.
>
> An index-based approach allows for prioritization of those behaviors that
> are most important to those that are least. The admin doesn't need to turn
> off the alarm, just raise or lower the index threshold based on their
> organization's tolerance for the behavior observed.
>
> > One thing I have learned in my travels installing IPS/IDS for 6+ years
> > now is that 95% of the admins out there pay very little attention to the
> > deluge of data that comes from IPS/IDS technologies. Its just too much
> > data. Its too hard to separate the wheat from the chaff. As such, most
> > adopt the attitude of "stop bad, allow good, log the rest." And
> > therefore, tons of "might be" events are just going to get ignored.
>
> This is the focus of an index-based approach to separating "wheat from
> chaff". Instead of raising hundreds of micro-events, an index is used to
> roll up many correlated anomaly events into a single easy-to-use /
> easy-to-diagnose number.
>
> > Moreover, baselining these networks is also rarely useful. Baselining
> > only works if your network actually stays within its baseline fairly
> > regularly. Of the networks I've seen, most would routinely break their
> > own baselines. Moreover, its very easy for "bad stuff" to stay within
> > the baseline, especially if the baseline has been tweaked and tuned to
> > the point of irrelevance in order to stop the deluge of events.
>
> Baselining is but one aspect of a flow-based anomaly detection system. Some
> areas of a network benefit greatly from baselining, other don't. Can't speak
> for the other guys, but StealthWatch doesn't need a baseline to operate.
>
> > So, while there may be a place for NADS, it would have to be intermixed
> > with traditional IPS signature matching to be really effective and
> > useful. And if the biggest plus of your product is just NADS, then the
> > IPS is probably just tacked on to be competitive in the market. As such,
> > organizations would be better off getting an a top of the line IPS, not
> > a NADS that happens to have an IPS thrown in.
>
> IPSs simply can't be deployed everywhere. How many organizations have you
> seen in which an IPS is placed at every location in which a Cisco router
> exists? NADS deployed with NetFlow gives the IT admin the ability to
> virtually inspect traffic at MANY locations throughout the network at once
> without the need for expensive inline hardware.
>
> NADS is completely complementary to existing IPS technologies. They operate
> in very different ways and solve a different kind of problem.
>
> -AP
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------