Recent Gartner Report on IDS/IPS

[InfoSec News <isn () c4i org>]

Forwarded from: Gary Golomb <gee_two () yahoo com>
To: focus-ids () securityfocus com, isn () c4i org

Ok, this is going to be long. Also, this email is being written
entirely on my own impetus and **definitely does not** reflect the
views of my employer. (In fact, I'll be surprised if I make it through
this one without any bruises.)

Gartner, Inc. has recently released a document authored by Richard
Stiennon entitled, "Intrusion Detection Is Dead - Long Live Intrusion
Prevention." (So I'm guessing we don't need to cover what that
document is about.) Gartner is self-described as, "For 20 years,
Gartner's Research & Advisory services have been recognized as the
definitive source for objective technology thought leadership." Ok,
fair enough. I'm a fair person and everyone makes mistakes.

Unfortunately, this is not Gartner's first mistake along these lines.
Here's a quote from paper now a year and a half old (also from
Gartner):

"Intrusion Prevention Will Replace Intrusion Detection. Enterprises
should delay new large investments in intrusion detection systems --
which have failed to provide additional security -- until intrusion
prevention systems emerge that provide a stronger defense against
'cyberattacks.'"

No, this is not the first time Gartner has displayed such a grotesque
misunderstanding behind detecting and defending against *real*
threats, but this is definitely the most horrible.

So, for all those who take statements like the above seriously, let's
define WHY people use Intrusion Detection technologies in the first
place.

Intrusion Detections systems are used for one reason. It’s your last
chance to be notified about a potential break-in; a virtual safety
net. Once an organization has invested massive amounts of time, money,
and resources into setting up "PROTECTIVE" technologies such as (but
not limited to) firewalls, encryption, authentication, proxies,
gateways, PKI, VPN, access control, virus detection/removal, etc...
The IDS serves the single purpose of sitting back and watching over
everything to see if people are still getting though. And here's a
curveball for you: After all the protective technologies just
described, attackers (both automatic like worms/viruses and live
people) were/are STILL getting through! Whether it's because of
vulnerabilities in network designs, application vulnerabilities, or
unknowingly misconfigured devices, they do get through. And this is
why IDS's were invented...

The main difference between an IDS and other security devices is the
fact that it's out-of-band, or passive in nature. It passively watches
all traffic looking for SIGNS of attacks, compromise, or other misuse.
The key benefit to being out-of-band is that you have the ability to
flag traffic that looks even the slightest bit "suspicious." If you
have an IDS that is telling you that too much is "suspicious," then
tune it! What's suspicious in one environment might not be in another.
Vendors try to compensate as best as possible, but only YOU know YOUR
environment the best! Once it is flagged, it is usually logged and
followed up by automated processing, or people-based responses.

So, now that we're on relatively the same page when it comes to ID,
let's look at Gartner's reasons for stating that we don't need this
technology anymore.

--- 
Statement #1 
"Contrary to the philosophy that it is impossible to protect a network
from all of the attacks leveled against it..."
---

Ok, this one is more comical than anything else. It's the first
sentence in the document. By starting off by telling us that it *IS*
indeed possible to protect a network from ALL attacks leveled against
it, I had to chuckle. It also set the stage for the rest of the
document.

--- 
Statement #2 
"The 'demilitarized zone' (DMZ) architecture has been punctured by
many exceptions to security policies. It poses a threat to
mission-critical services."
---

Since DMZ's [apparently] pose a threat to critical services, Richard
proposes (what he dubs as) a new nomenclature and architecture for
replacing the DMZ. The new name is: The Transition Zone. (TTZ?) The
way TTZ works is by taking your public resources (like a firewall,
mail serer, or whatnot) and placing it on a network that is logically
between the Internet and your internal network. This middle ground is
separated from the Internet via a firewall or gateway that allows
limited access to the public resources. There is a second firewall
that separates the TTZ from the internal network which I presume is
more restrictive.

Interestingly enough, that's what the rest of the world calls a "DMZ."
I saw no difference between the proposed TTZ and how most
organizations that I have seen implement their DMZs.

--- 
Statement #3 
Regarding another problem with hosts in the DMZ: "Because of the
constant exposure of these assets to the outside world, they must be
protected by a greater investment in security devices, rather than
treated as untrusted, even sacrificial hosts."
---

I just called a couple Fortune 50 and some smaller customers of ours
to ask if their assets in their DMZs are sacrificial hosts. They said
no.

---
Statement #4
"By 2005, 90 percent of Global 200 gateway firewalls will do 100
percent deep packet inspection, enabling them to block application
attacks."
---

Now this statement is onto something! We'll get back
to this in just a minute.

---
Statement #5
"IDSs were proposed as the suspenders in the 'belt-and-suspenders'
approach to perimeter defense."
---

In this short sentence there are two significant errors.
 
One- 
IDS is NOT the "belt-and-suspenders" to perimeter defense, although
the mental image is quite entertaining. Quite the contrast, they are
the "checks-and-balances" to defense technologies. They do NOT
"support" protection, they "detect" when detection mechanisms are
failing. They also help to create audit data useful for the final part
of the security cycle - "reaction."

Two - 
IDSs are not designed just for the perimeter. Many organizations place
them throughout the network, at server farms, groups with large IP
caches or other data, and even in partner locations. I made a comment
at the top of this which stated, "If you have an IDS that is telling
you that too much is 'suspicious,' then tune it!" This is the reason
why. Not only is each environment different, but different traffic is
seen in different locations within the same environments. We do our
best to compensate, but only YOU know YOUR environment best.

---
Statement #6
"State awareness will enable network agents to scale to the
multigigabit speeds needed."
---

This statement shows and obvious and gross misunderstanding of
implementation and design issues in IDS development. A robust
state-tracking implementation can take just as much overhead as a good
pattern matching, protocol decoding, or anomaly detection
implementation. Look at firewalls for proof of this.

IDS vendors need to find a balance in implementing these
methodologies, without crushing sensor performance. No single solution
(such as state tracking) is good enough to be used as a single
detection methodology, or to state it enable multigigabit speeds.

---
Statement #7
IPS needs to do this: "It requires efficient detection of malicious
attacks. Well-designed network agents should use a combination of
signature, protocol anomaly detection and traffic analysis to minimize
false positives. State awareness will enable network agents to scale
to the multigigabit speeds needed. They should be in line to allow
them to drop sessions."
---

This statement appears to show that now even Gartner has succumbed to
marketing hype. You would think they would have based a paper like
this on analysis of some new vulnerabilities, or trending exploit
development over time, or looking deep into the geopolitical
developments and sociological impacts on attackers and hacking, right?
Based on the above "design requirements," it sounds as if this
document was written to be a marketing glossy for an IPS vendor.

Marketing is my favorite topic!

Here is a statement taken from a leading IDS/IPS vendor's website. Not
a kind-of leading vendor, VERY leading. ;)

"...provides broad-based detection, prevention and response for
attacks and misuse that originate from across a network. ...using a
combination of sophisticated protocol analysis and pattern matching to
interpret network activity it detects known attacks, previously
unknown attacks, and is immune to tools that attempt to evade pure
pattern matching systems."

So we'd expect this true statement, right? Here are the results of a
test performed several months ago. (Maybe 60 to 9 months ago now, and
I'm sure the IDS has been corrected by now.) First, the two most
critical vulnerabilities where picked from a 4-6 month time period.
This was done to cover the past two years. Two were picked so one
Windows and one Unix vulnerability could be tested for each 4-6 month
time period.

Then, exploits were harvested for those vulns. Only exploits from the
most public websites like www.packetstormsecurity.com and
www.securityfocus.com were taken. The final exploit chosen was the one
in each category that was the most easy to use and most destructively
robust. This ensured we were testing the exploits that the kids were
most likely to be using.

The IDS was also fully configured and updated. The point was *not* to
evade it or make them look silly, but to see HOW it viewed certain
events compared to other IDSs. There was a problem though. The
following exploits were missed COMPLETELY:

Moderators: I am sending this from a different account
than what I'm subscribed under. If this is a problem,
I will make other accommodations. 

 - IIS 5.0 .asp overflow wrapped inside of chunked-encoding exploit
with port binding shellcode
http://packetstormsecurity.org/0206-exploits/DDK-IIS.c

For any "Protocol Decoding IDS" this attack should have triggered all
kinds of HTTP alarms, which it did not.

 - UPnP remote shell-binding exploit 
http://packetstormsecurity.org/0112-exploits/XPloit.c This exploit was
chosen for two reasons. One is that it affects all unpatched Windows
ME and Windows XP systems. The second is that it uses shellcode which
is also used in many other windows-based exploits so it should be
easily identifiable.

 - FrontPage 2000 Server Extensions .asp source disclosure 
vulnerability
http://packetstormsecurity.org/0008-exploits/srcgrab.pl.txt

This was chosen mainly because of it's prevalence in security
scanners. This is a vulnerability that many scanners check for since
there is a wealth of information in many .asp scripts.

 - Apache Chunked Encoding Vulnerability
http://packetstormsecurity.org/worms/apache-worm.c 
Not only is Apache the most widely deployed web server on planet
Earth, but this vulnerability was the basis for MANY different
exploits and Internet worms.

 - Compromise: Command prompt and shell on high port This test was
done because realistically you cannot expect an IDS to detect EVERY
attack out there. However, you should expect the IDS to detect the
most basic and generic signs of a successful compromise.

Now if you have missed the significance of these test results, let me
paste the statement that same vendor made about their technology on a
main webpage again:

"...provides broad-based detection, prevention and response for
attacks and misuse that originate from across a network. ...using a
combination of sophisticated protocol analysis and pattern matching to
interpret network activity it detects known attacks, previously
unknown attacks, and is immune to tools that attempt to evade pure
pattern matching systems."

All of those attacks were 3-24 months old at the time.
All of those listed above were missed entirely - not even an unrelated
false positive was triggered from the attacks. Many others not listed
here were only detected as something else, and not the actual attack.

We'll elaborate a little more on the subject of IDS vs. IPS in a
moment, but I just wanted to make a note about vendors who claim to
have silver-bullet solutions.

Also, if IPS was the end-all, why do you think that every
market-leading IDS vendor hasn't adopted it yet?


---
Summary page of document:
Is a diagram showing something like a firewall that
can do application content inspection and filtering.
---

Now we have two points pending from above that tie into the summary of
this slide. One is the pros/cons of IDS. Ie: those things that would
cause a company of Gartner's stature to release a paper with the title
of this one.

ALL IDS methodologies have to deal with false positives. It's the way
the technology works. If you have a device that is going to tell you
about any potentially suspicious activity, that is exactly what it is
going to do. Just because communications might be suspicious, does not
mean it's going to always be an attack, but at least you have
something there to inform you about it when everything else on the
network fails to protect you.  And the IDSes that are better with
handling false positives are WORSE when it comes to the category of
producing false negatives. If you are going to tune down on the amount
of things you consider "suspicious" then of course you increase the
chance of tuning down real attacks also. I could show you a
one-for-one relationship why. Now which prospect is scarier?

The whole point of an IDS is taking advantage of the luxury passive
analysis affords you. You can be highly sensitive to anything that
looks slightly suspicious. You can spread your analysis over a time
period spanning several fractions of a second, several packets, or
even several months. You have the ability to be highly sensitive to as
much (or as little) as you need to be - to find and detect violations
of policy compromise.

Now don't get me wrong, IPS is an awesome technology. Bill Boyle from
Intruvert put it the most elegantly on the focus-ids list when there
was a thread of people (including myself) bashing IPS. He said
something to the effect of, "[paraphrasing] We're not claiming to stop
everything, but if we can stop a lot of attacks, then why wouldn't
you?" (Sorry about the previous thread Bill!)

This was the best point I've ever heard made about nIPS, but does it
*replace* nIDS as Gartner has stated? Absolutely not! That idea is
about as ridiculous as stating a DMZ is going to be more secure if you
change the name of it.

There's another point to made along this vein... How is an IPS going
to block attacks that aren't attacks? I mean, totally valid traffic
that is only dangerous because of a policy misconfiguration? If you
refer to a poll done by zone-h (arguably the most active defacement
mirror on the net), most defacements (if you can rewrite data on a
server, I'd count that as a hack) are accomplished because of
misconfigurations. Think about that. That's somewhere around 300
attacks a day (average) that are reported to zone-h because of
misconfigurations. How many more do you think happen *every day* that
aren't reported?

In summary of point one:
 -Good security design follows the Protection ->
Detection -> Reaction paradigm. 

IP = Protection
ID = Detection
IP not= Reaction. 

Point two:
Richard made it himself which is why I can't believe he went on with
the paper. "... gateway firewalls will do 100 percent deep packet
inspection, enabling them to block application attacks."

An IPS, being in-line, does not have the indulgence of being able to
be highly sensitive to everything an IDS can. Since it is making the
decision to pass or not pass traffic, it has no room for misjudgment.
As such, that places a severe limitations on its ability to find
things off-line analysis offers. In addition, analysis is limited to
what can be accomplished in fractions of a second. There is no
opportunity for *real* analysis and correlation.

To make an IDS into an IPS border-lines a silly idea, but to go so far
as to say that IPS will replace IDS entirely is absolute ignorance.
And we haven't addressed the issues of politics, availability,
management, etc...
 
An IPS is not an extension of an IDS, it's an extension of a firewall.
And, that does NOT mean a firewall with an IDS on/next to it. The
discussion of making a firewall an IPS is kind of an entertaining one.
Most people think they have firewalls all figured out until you start
heading down the path of all the problems they have. It's funny how
the solution to all of a firewall's problems seems to mirror most
people's conception of what an IPS is...

A paper on that topic might be a good read. Greg Shipley recently
brought the point up in a Network Computing column
(http://www.nwc.com/1411/1411colshipley.html), and I'd love to see a
technical analysis of the points he and others have raised. If Gartner
decides to take on the task of writing this, I hope it's done in a
more responsible manner than this was.

That is what upsets me the most about incidents like this. Because of
the long history Gartner has with industry reporting, their documents
carry a lot of weight for many organizations. Although, this recent
track record of negligence is disturbing to say the least.

-gary


Gary Golomb
Senior Research Engineer
Dragon Intrusion Detection Group
Enterasys Networks



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.