RE: Intrusion Detection

[Gary Crumrine <gcrum () us-state gov>]

Well thank you Mr. Ranum, another world according to Marcus speech.  I am 
trying to figure out where you are coming from on this one Marcus.  I have 
to agree with Adam, that even if I only can catch a percentage of intuder 
attempts using one of these IDS systems, then I have raised awareness, and 
my security posture.  They may be clueless twits, but they can still bungle 
into gaining some access, and could damage my ability to conduct business. 
 Of course If my firewall is doing the right things, I wouldn't need an NFR 
right?  But since you have so eloquently attacked in past commentary, the 
very same firewall industry that you more than anyone else in this business 
helped to create and dismissed it as irrelevant, I can't help but wonder 
where you are going with this.  Let's see, NFR doesn't do IDS per se, so it 
must be meaningless...hmm, now that must be some sort of thought process. 

No Marcus, I am one of your biggest fans, after all, your thought process 
has lead to my being able to feed my family, two cats and a dog, but I have 
to say you are off base here.  Sure IDS is not the end all answer, it is an 
industry that is still in it's infancy.  But to arbitrarily dismiss it does 
not make sense.  The same can be said of forensic tools such as your new 
pet project.  If you never get hacked, because your firewall was strong, or 
your IDS detected and alarmed teh administrator so they could head it off 
before any real damage was done, then I don't need an NFR now do I ?  And 
if I am not willing to prosecute, or take proper corrective action against 
bumbling insiders, then why record it in the first place?

The bottom line here is that there are a lot of tools out there, that are 
used by professionals to provide them with information they percieve as 
being important to them, or their management.  Use them if you want to, 
heck build your own and sell it if you need to, after all, that is what you 
have been doing as you worked your way through TIS, V-ONE and now NFR.  But 
to attack other's products is not worthy of your reputation. 
 Unfortunately, IDS systems seem to be the hot ticket these days.  Forensic 
tools are not, and will not be in my opinion until the legal system has had 
more time to establish legal precidence.  Business owners looking for tools 
these days are going to ask one very important question.  What value is 
added with an IDS versus NFR.  I can clearly demonstrate what an IDS gives 
me, teh NFR concept is not so clear.

-----Original Message-----
From:   Marcus J. Ranum [SMTP:mjr () nfr net]
Sent:   Tuesday, April 14, 1998 1:04 PM
To:     firewall-wizards () nfr net
Subject:        Re: Intrusion Detection

Adam Shostack writes:
>       I believe intrusion detection to be a misnomer, and that the
> really useful class of software is attack detection.  Attacks (land,
> teardrop, phf, password file sucking) are relatively easy to detect
> with network sniffing software.

Adam,

        To me the big open question in ID is "why?" not "what?"

        If you have a network you believe to be vulnerable to the attacks
listed above - FIX THEM. If you've fixed them, then why do you care if
someone uses them against you? Are you actually going to backtrack and
try to prosecute? Good luck!

        Back when I was a firewall vendor (yes, none of this stuff is new!)
I built a firewall that alerted the system manager whenever certain
classes of weirdness occurred. That was always Very Cool and it was the
first thing they turned off after it began pestering them constantly.
As the vendor, I wished I'd never put it in because I kept getting
calls that went something like:
C: "Hi - my firewall is saying it's getting spoofed packets! Help!"
V: "What am I supposed to do about it?"
C: "Well, can you make it stop? Can I call the police?"
V: "No, and No. It's just informational, really."
C: "Does this indicate that someone's likely to break through the 
firewall?"
V: "No, it indicates that we thought ahead, blocked that avenue of attack,
        and it doesn't represent a problem at all. I guess you now know that
        your firewall works, or something."
C: "Uh, uh, uh..."

        The whole problem with ID (*ESPECIALLY* what Adam calls "attack
detection") is that it detects something basically useless. So you're
under attack. Big deal. Your defenses can either handle it, or they
can't. If they can, then relax, have a homebrew, and don't get pestered
about land, teardrop, etc. If they can't, you'll know right away anyhow
when your system slags.

        There are really only 2 good reasons I can think of for ID systems:
1) To develop a threat level model as to how often you are attacked
2) To detect clueless people inside your organization who are attacking
        outside sites

        The first one is kind of silly but I suppose it makes people
happy to know that they were SATAN scanned 2,102 times last year and
that their firewall blocked 1292 clueless twinks who tried using the
"same old stuff" as the previous 1291 clueless twinks. The second one
is valuable if you actually are going to do something about clueless
twinks inside your network. I suspect this must put university
network managers in a real quandary.

        In short, my views are exactly, precisely 180 degrees the
opposite of Adam's. I don't have TIME to be notified about the
clueless twinks. What I want is fallback defenses that will detect
when my first line has failed. This is what I am calling "policy
based intrusion detection" and I'll probably wind up explaining
it here in a white paper or long posting some night. :) It's the
"SOMETHING HAS GONE TERRIBLY WRONG. WARNING WILL ROBINSON!"
mechanism. I care a lot about that, and the "why?" for such a
system is obvious. The second part is, of course, what NFRs are
for. Once you've found that something's happened, then how do you
figure out what it was?

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr