RE: Automated IDS response

[Robert Graham <robert_david_graham () yahoo com>]

--- "Marcus J. Ranum" <mjr () nfr net> wrote:
> ...but nobody
> expects that it'll somehow act like William Gibson-esque "ICE"
> and automatically "heal" a broken network or backtrack and destroy
> the bad guys.

Hhhm. The other day a customer of ours installed BlackICE Defender on their
home machine. Even before the installation process had completed, it detected
that the machine was being controlled by a remote access Trojan, blocked
further access by the perpetrator, and discovered that the perp's login name
was the same as a former coworker.

Of course, the above example really is flash: though it can work this way
sometimes, it is rarely this effective. Most of the time BlackICE Defender sits
quietly in the background logging the occasional scan.

On the other hand, I'm a little disturbed by the lack of "out-of-box" thinking.
This whole conversation started with everyone using their own policy manual as
a guide as to the feasability of whether IDSs should reconfigure firewalls.
However, everyone has a different policy guide: what might be appropriate for
some is not appropriate for another.

For example, let's say that you have an external website which only serves
static pages and has no access to sensitive information. Also, lets say that it
is mission critical. Now let's say that you've got conclusive evidence that the
machine has been hacked. What do you do? Probably leave it running and try to
solve the problems while the server is in production.

Conversely, let's say that you suspect (but without much evidence) that one of
your user's machines behind the firewall has been hacked. What do you do? Pull
the plug and ask questions later.

I mean, with a firewall you've already pre-DoSed your users: you deny them full
access to the Internet. How many users can get IRC, ICQ, or even RealAudio
through the firewall? How many of your users are complaining they can't
traceroute through your firewall? You've already denied them that service. It
is interesting to note that the people crying "No auto-configure" are probably
already using auto-configuration in order to get applications like FTP and
RealAudio to work through the static filters. 

Right now, BlackICE Defender does both types of auto-configuration: it allows
applications like FTP and RealAudio to work despite the static firewall rules.
It also shuts out traffic that is conclusively bad (BackOrifice responses
transmitted from your machine are virtually impossible to spoof or trigger a
false positives).

At the same time, BlackICE Sentry (your traditional network IDS that runs like
NFR or RealSecure) does NOT have the ability to reconfigure firewalls. Even
though we think such policies are good for end-nodes, we agree that few
customers should be doing that with their main firewall.

Robert Graham
CTO/Network ICE




__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com