RE: IDS (was: FW appliance comparison)

["Ben Nagy" <ben () iagu net>]

Hi Paul, Devdas!

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf
> Of Paul D. Robertson
[...]
[Devdas]
> > Things change. IDS help detect unexpected changes.
[...]
> > For instance, seeing traffic destined to port 25 from an
> > unexpected host is a good event to trigger IDS events.
> > Even when your firewall blocks this traffic, the log
> > analysis of firewall logs and DHCP logs should
> > catch potential malicious traffic and possible further
> > investigation.

This sounds sensible to me. Same for any protocol that detects as TFTP, IRC
from unauthorised hosts etc etc.

[Paul]
> If you mean "unexpected internal host" then again, I'll say
> that there's
> likey been a larger policy or implementation failure.  It
> doesn't take
> on-the-wire sniffing to see something new trying to relay through the
> relay host on my network.

What's your preferred method for noticing this stuff? (I'm certainly not
being sarcastic here)
If an internal host is trying to reach port 25 on an external host (or even
a non-mailserver on the inside) then how do you suggest that should be
detected? The firewall deny logs will catch the outbound traffic, but now
we're talking log analysis tools or SIM products to pull the data. What
about the internal traffic from trusted host -> trusted host?

[...]
> > Done right, a good firewall and IDS combination
> > should not need to be updated very often.
>
> That's certainly a different line than most IDS vendors or
> IDS proponents use.  Normally I see "the new IDS signature
> can detect that!" bandied about.

Yeah, it probably _is_ a different line, but it doesn't mean it's not a
sensible one. I saw a cool thing once, with a guy using MRTG as his 'IDS'.
He monitored the network but didn't have control over the servers (academics
did *shudder*). Every time one of the servers would be owned, the outbound
traffic would spike, because people used them to serve warez. So, any time
he saw an MRTG spike he'd go check out the server, work out why it got owned
and tell people to fix it up. Dumb security? Hell yeah, the owners should
have just kept the things hardened, but it's still a great illustration of
the principle. Even with no attack signatures at all, couldn't an IDS still
be useful? Perhaps even more useful, since it would cut down the noise...

I think there are actually products out there that do this using connection
tuples to construct some sort of graph and using some wacky fuzzy isomorphic
analysis, but they probably don't call themselves IDS.

I think I'm with Devdas - personally, the only time I'd deploy an IDS is
with all the attack signatures turned off and rules set up to flag
unexpected source / dest connections. All the rest seems to be a product of
the human quest for useless knowledge.

Cheers,

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards