Re: Important Comments re: INtrusion Detection

["Paul M. Cardon" <pmarc () cmg fcnbd com>]

tqbf () secnet com thus spake unto me:
> Your only real option is to attempt to duplicate the TCP/IP driver bugs of every 
> system you could ever want to monitor.

This is a critical point and one that I think Kurt and some other representatives from passive IDS vendors are missing.  It sounds to me like Kurt was saying, "Gee, all these things in your paper that got past the tested systems look like bugs or cases where we just have to assume multiple behaviors at the end point.  We understand these and we can make our product look for all of them."

I don't think they understand that there are many more known and as yet undiscovered differing behaviors than the ones listed in the paper.  (Oh, that's right, the frequent product updates will help the customer feel like the product is continuing to add value.)  It isn't enough to expect all possible behaviors individually but also all possible *combinations* of these multiple behaviors must be anticipated in each packet or packet stream before the system can even begin to perform pattern matching on the contents.

As a result:

* The analysis engine becomes extremely complex which makes it more difficult to maintain the analysis engine code and makes the system more prone to implementation flaws.  (I wouldn't want to be responsible for debugging it.  I like challenges, but brute force approaches aren't very stimulating otherwise.  The effort could be much better spent on researching other aspects of ID and provide better returns.)
* The IDS will require significantly greater system resources to keep up with the same amount of traffic making the system much more expensive to deploy.
* Increased resource utilization by the IDS will simply make DoS attacks easier.

> This is, to say the least, a difficult task. We don't believe that it is
> computationally feasable in a real-time passive ID system. 

Is this problem exponential with each added difference in stack implementation?  Perhaps not that bad but not much better either (not easily verifiable one way or the other).  It certainly doesn't look feasible to keep up in real time without increasing system resources to the point were these systems are no longer relatively inexpensive to deploy.  Yet another obstacle to meeting the oft-advertised passive IDS capability of relatively inexpensive threat detection between any pair of internal network nodes.

All these systems will be good for is tripping up the script-kiddies.  I'm not saying there's no value in that, but customers are led to believe they are paying for much more.
I have one word for that kind of vendor behavior: irresponsible.

---
Paul M. Cardon

On the whole, we are hostile to puns.    - Wolcott Gibbs

Sisyphus and loving it.

MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e