Re: Network IDS

["Sam f. Stover" <sstover () iwc sytexinc com>]

> > Then a NIDS is not the right thing for you. Network Intrusion 
> > Detection
> > is not about protecting systems.
>
> I disagree.  Yes, it would seem like something of a waste of resources 
> to protect a single server/system with an NIDS sensor.  But, if that 
> particular system or group of systems is mission critical, then a NIDS 
> is precisely what you need.  So, even in that situation, I can see 
> someone deploying a sensor to detect network traffic based attacks.

This is a semantic issue in which (I believe) the Andreas' post meant 
that NIDS don't actually protect, they alert.  A home security system 
doesn't stop people from breaking into your house - but it does alert 
someone to the fact that something wrong happened.  I mean there are 
other things that may scare the thief away, like the lights coming on 
or the police pulling into the driveway, but the fact remains that most 
home security systems (as well as a passive IDSs) don't stop the 
intrusion from occurring.

At least, I'm guessing that's what you meant, Andreas?

> Now, the semantic argument that says that "NIDS is not about 
> protecting systems" basically states that NIDS is about protecting 
> networks.

I'm sorry, but I don't know what this sentence means.  I don't 
necessarily differentiate between "systems" and "networks" - should I?

>   Factually, this is true - Host IDS is about protecting a *system* 
> and NIDS is about detecting intrusions over the network.  But never, 
> ever, ever, ever forget that a network is composed of a group of 
> systems.

My view (as an ex-IDS vendor employee) is that the IDS isn't actively 
"protecting" anything (NIDS or HIDS, for that matter), but alerting you 
when something does happen, so you can take action.  IPS, OTOH, does do 
"protecting" (and self-inflicted DoS) as opposed to just "alerting", 
which the original poster should be aware of.  It's my understanding 
that this thread originated on the request for advice on how to 
implement IDS to protect.  Passive IDS indirectly protects in that it 
imparts information/knowledge (i.e. power) to the user to help 
undertake protective measures, but does no actual 
protecting/prevention, in and of itself.

> For full system protection, he should be deploying a Host IDS on the 
> servers/systems he's defending... but an NIDS is a really good idea 
> for detecting attacks that happen over the line.  What if someone 
> compromises the system and kills the HIDS and deletes the logs in the 
> middle of the night?

Let's examine your scenario further.  Assuming someone did own the 
system, kill the HIDS and wipe the logs.  What did your H/NIDS do to 
protect you?  Nothing.  They can provide forensic evidence (well, the 
NIDS anyway in this particular example ;-), but no "protecting" 
occurred.  This is a point that too many folks pass over, in their 
hurry to implement an IDS security solution.

Now, before all the vendors jump down my throat, pretty much everyone 
is implementing offensive capabilities into the IDS like session 
shootdown for passive IDS and in-line "firewalling on steroids", so 
there are definitely active protective measures available (and I'm sure 
someone will expound on how their IDS "can do all that, and more!").  
This is the crucial point to my post though, if the original poster 
wants something that will "protect" instead of "alert", then this needs 
to be discussed early on in vendor negotiation for the ultimate 
solution for their network.

My $0.02
FWIW
IMHO
YMMV
(you still listening Shipley?)


SfS

____
S.f.Stover
sstover () iwc sytexinc com

Attachment: PGP.sig
Description: