Re: Important Comments re: INtrusion Detection

["Paul M. Cardon" <pmarc () cmg fcnbd com>]

tqbf () secnet com thus spake unto me:
> If you know the number of hops to every destination on the network, the
> MTU of each of those hops, the OS running on each of the machines on your
> network, and the exact network configuration of each, AND if you can
> reliably see every packet on the wire, you can (I currently believe)
> accurately reconstruct network traffic and detect intrusions in it.
>
> You do not need to be a proxy to have this information. Being a proxy
> allows you to do network intrusion detection WITHOUT this information. The
> problem you need to solve at this point is "how the hell do we get this
> kind of information to the IDS in real time, in order to make my non-proxy
> sniffer IDS work."

One of the major reasons why passive-listening ID systems have been getting  
so much hype is that they are being advertised as a way to detect attacks  
that may originate inside the network perimeter protected by the conventional  
firewall.  In other words the claim is that they provide threat detection  
originating from any device on the network targeting any other device on the  
network.  However, until these systems can obtain all of the secondary  
information Thomas mentions above then they are severely limited in their  
advertised capabilities.

While a proxy CAN obtain much of that information, we are left providing  
protection only at the network perimeter so any internal attacks can once  
again be carried out undetected.

Uggh.  This is looking to be a familiar scenario: networks with a hard,  
crunchy shell at the network perimeter and a soft, chewy middle where the  
INTERNAL threat protection provided to internal hosts is inadequate.

Does this mean that ID needs to be done at the host level or in other words  
at every connection end-point?  What other possibilities do we have?  I think  
we've seen similar questions before.  The problems with that approach are  
one of the reasons why we have firewalls in the first place.

I think it may be useful to summarize all the different network  
placement/approaches for network intrusion detection, list the advantages and  
problems with each, and perhaps we'll see some useful combination of  
approaches that can provide a more complete range of protection.  At the very  
least we will see some other problems that we have missed if we look at the  
entire network and not just the firewall boundary.  I know Thomas is  
considering the entire network in his research but after all this is  
firewall-wizards and the discussion naturally tends solely in that direction.

---
Paul M. Cardon
First Chicago NBD Corporation

On the whole, we are hostile to puns.    - Wolcott Gibbs

Sisyphus and loving it.

MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e