Firewall Wizards mailing list archives
RE: how to do intrusion detection right
From: Gary Crumrine <gcrum () us-state gov>
Date: Mon, 20 Apr 1998 06:38:11 -0400
I think one thing not mentioned directly concerning the worth of IDS as a whole, is that like an NFR, or a firewall, or tools like Net Sonar, Ballista, or whatever, they are just that. Tools. As a system administrator, or if you are lucky to be able to find and afford one, a security specialist, we all use TOOLS to make our jobs easier, and more efficient. If I employ an IDS to catch some of the soft net noise hackers, then it has saved me time and made me more efficient. Sure, I could sit and write my own scripts to do the same thing. Heck, I bet I could even learn to make a nice little GUI for it too. If I had the time that is, and my employer was willing to accept lower productivity because I was writing code, instead of performing my daily tasks. Unfortunately, few of us can have that luxury. IDS systems, even with their flaws and vulnerabilities, still have a place right along side the firewalls, routers, virus checkers tools we use today in order to keep the electronic monster on a leash. Think about it, I used to think those electronic pets were stupid gimmicks, then I sat down with my firewall this morning and looked back at all the care and feeding it requires. Who's the fool? -----Original Message----- From: Sheila Or Bob (depends on who is writing) [SMTP:shsrms () erols com] Sent: Saturday, April 18, 1998 9:29 AM To: Nicholas Charles Brawn Cc: firewall-wizards () nfr net Subject: Re: how to do intrusion detection right Nicholas Charles Brawn wrote:
Would you then not run the risk of attackers masking hostile traffic by making it appear to look "expected"? Nicholas Brawn
Exactly! The gabriel and other scan detectors are easily defeated by a patient low level attack - spread things over a time period that is beyond their threshhold, do things aperiodically. Sometimes humans can discern something is out of the ordinary. Sometimes they can't. In the event of establishing a profile of the net "what is normal traffic" with a new IDS, they can be confused with what I call white noise. so that things look like they are expected! bob
-- Email: ncb05 () uow edu au Nicholas Brawn - Computer Science Undergraduate, University of
Wollongong.
On Thu, 16 Apr 1998, George J. Dolicker wrote:I think perhaps what the intrusion detection system might do is not
look
for something "interesting", but rather something "different". Rather
than
trying to define what is a problem, define what is NOT a problem... so configure the IDS to smile upon traffic that is expected, and panic
over
anything else. Same principal we use in firewalling: that which is not explictly permitted is denied. G. At 12:02 PM 4/16/98 MDT, Martin W Freiss wrote:When the administrator can tailor the IDS to unacceptable/interesting stuff on the net, what he does is transfer his own mindset about
security
to the IDS. I then have a machine that "thinks" like me, which thus
alerts
me about facts that I am already aware of - a useful thing that may
save
some work, but will not help me notice next week's bug being
exploited.
I may be stupid, but what is "interesting" is something I do not know before an intrusion attempt. Tomorrow's attack may use some technique that is "obviously" safe
today,
thus bypassing my (human or computer) filtering layer. Using a
sufficiently
"new" technique, my firewall will probably not notice that it has been broached. What _can_ help me is having a complete log of everything
that
has been going through the network, which I can then analyze to
understand
what has happened. An intrusion analysis system, if you will - which so far includes a large human component. -Martin
-- real address is shsrms at erols dot com The Herbal Gypsy and the Tinker.
Current thread:
- how to do intrusion detection right Marcus J. Ranum (Apr 14)
- When to do something about detected attacks (was Re: how to do...) Jeff Sedayao (Apr 15)
- Re: how to do intrusion detection right Paul D. Robertson (Apr 15)
- Re: how to do intrusion detection right Marcus J. Ranum (Apr 15)
- Re: how to do intrusion detection right Paul D. Robertson (Apr 15)
- Re: how to do intrusion detection right Martin W Freiss (Apr 16)
- Re: how to do intrusion detection right George J. Dolicker (Apr 17)
- Re: how to do intrusion detection right Nicholas Charles Brawn (Apr 18)
- Re: how to do intrusion detection right Sheila Or Bob (depends on who is writing) (Apr 18)
- Re: how to do intrusion detection right Marcus J. Ranum (Apr 15)
- <Possible follow-ups>
- RE: how to do intrusion detection right Gary Crumrine (Apr 20)