Firewall Wizards mailing list archives

Re: Important Comments re: INtrusion Detection

From: Adam Shostack <adam () homeport org>
Date: Tue, 17 Feb 1998 08:15:09 -0500 (EST)

tqbf () secnet com wrote:
| > One of the major reasons why passive-listening ID systems have been getting  
| > so much hype is that they are being advertised as a way to detect attacks  
| > that may originate inside the network perimeter protected by the conventional  
| > firewall.  In other words the claim is that they provide threat detection  

| Something worth remembering is that our results take a major bite out of
| the claim that ID systems are useful against a skilled internal attacker.
| Someone in your organization that wants to attack you without being
| detected by an IDS will just forge two-way traffic and confuse the IDS
| completely. This is the area where I see passive network IDS as being the
| least useful.

        I think there is a place in stopping unskilled internal
attackers.  Some situations I've helped clean up involved an employee
searching the various engines for 'hacker tools,' downloading a bunch,
and using them.  Given the damage that was caused there, I think there
is value to detecting these things internally.  As the tools are
written to make the attacks you described easy*, then the IDS vendors
must cope or die.  A harder task than the firewall vendors have
really, but then IDS was going to lose an awful lot when IPsec gets
deployed...

        There are folks here who can break into most any network out
there, given sufficient motivation.  There are not that many of them.
Blocking them is an excellent goal, because you're being proactive
about security, and blocking threats before your boss reads about them
in Network Week.  But blocking the teaming masses of script kiddies
and internal disgruntled employees is a worthwhile goal as well.

* By easy, I mean a libstealth which replaces various socket calls
before they reach libc for easy combination with other exploits.

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume

Current thread:

Re: Important Comments re: INtrusion Detection, (continued)
- - - Re: Important Comments re: INtrusion Detection Marcus J. Ranum (Feb 14)
    - Re: Important Comments re: INtrusion Detection Aaron Bawcom (Feb 15)
    - Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
    - Re: Important Comments re: INtrusion Detection Bret Watson (Feb 14)
    - Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
    - Re: Important Comments re: INtrusion Detection Rick Morrow (Feb 15)
    - Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
    - Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
    - Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 16)
    - Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
    - Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
    - Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 18)
    - Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)
    - Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
    - Re: Important Comments re: INtrusion Detection Aleph One (Feb 16)
    - Re: Important Comments re: INtrusion Detection Darren Reed (Feb 16)
    - Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 17)
    - Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
    - Re: Important Comments re: INtrusion Detection Darren Reed (Feb 17)
    - Re: Important Comments re: INtrusion Detection Aleph One (Feb 17)
    - Re: Important Comments re: INtrusion Detection Doug Hughes (Feb 18)

(Thread continues...)