Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: Barney Wolff <barney () databus com>
Date: Fri, 20 Feb 1998 14:18 EST
Date: Fri, 20 Feb 1998 12:43:32 -0600 (CST) From: Aleph One <aleph1 () dfw net> The point is that an IDS may be able to detect the anomalous traffic but not the attack hidden by such traffic which makes their signature database quite useless.
I don't assert that an IDS cannot be fooled. I do assert, tentatively and without great confidence, that an IDS that alarms on *anything* that it does not recognize as safe, will not stay silent during an attack. It will, of course, alarm conditions that are not attacks, at some rate.
What's being missed here, imho, is that the great majority of attacks use packets/streams that lie far outside the boundaries of legitimate use, despite perhaps being legal IP or TCP.The are much more subtle attacks that fall within normal IP traffic. In particular the one described by Vern in his paper, using the IP time to live field, is very difficult to detect. The attacker may send the same packet twice, once with a TTL long enough for the victim to see it and another with the TTL long enough for the IDS to see it but short enough for the victim to not see it. Now the IDS has to try to figure out which packet it should use to recreate the stream. This types of packets can be seen normally on the network when a retransmit takes a different route with a different number of hops than the original packet.
Again, packets that expire within the destination organization's network are not all that common other than by deliberate use for traceroute-like work. Certainly not unknown, though. Does anybody have stats on how often TCP packets just barely make it to the destination? Of course, an IDS must get fairly close to the hosts it is meant to monitor, especially if internal attacks are part of the job description.
As with firewalls, it can be useful to think about IDS as "deny what I don't recognize as permitted" rather than "permit what I don't recognize as denied".The problem is the network IDS's cant "deny" anthing. They are fully passive.
I debated whether to include the sentence "For an IDS, s/deny/alarm/g." but decided it was being too cute. Besides, all the action-spy flicks I watched as a tot had alarms going off followed by the massive doors relentlessly closing, with the hero just slipping through. Those were IDS's that did cause a blocking response. Barney Wolff <barney () databus com>
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 19)
- Re: Important Comments re: INtrusion Detection Jonathan Care (Feb 19)
- Re: Important Comments re: INtrusion Detection Michael T. Stolarchuk (Feb 19)
- RE: Important Comments re: INtrusion Detection Kurt Ziegler (Feb 19)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 19)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 20)
- Re: Important Comments re: INtrusion Detection marc (Feb 20)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 20)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 21)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection Vern Paxson (Feb 21)