Re: Network IDS

[Barry Fitzgerald <bkfsec () sdf lonestar org>]

Andreas Krennmair wrote:

> It can _detect_ the traffic, but it does NOT protect your system! As
> soon as you detect an attack, it has already happened, and if it was
> successful, your system is compromised. So, use secure software, since
> you can't rely on your NIDS. Why have a NIDS that records all attacks
> against a machine, when the machine is compromised after one of the
> attacks?
>  

I have a couple of points in response to this:

   1. Detection is a prerequisite for protection.
   2. I care about all attacks levied against my systems, and you 
should too.  If the first attack succeeds - that absolutely is a high 
priority event, but it's not the only event that occurred.  If someone 
breaks into your system, you should absolutely want to know everything 
that happened.  If the first attack is used to gain a shell and a second 
attack is used to inject a listening backdoor port, I absolutely don't 
want to exclusively focus on the original attack and not focus on the 
other attack.  Assuming that you're just going to be able to look at the 
target system and detect all of the abnormalities is naive.
   3. If you've found a list of absolutely 100% secure software, please 
share it.  I've never seen a piece of software that hasn't had security 
holes.  Until you have software that can't be compromised, you need 
other methods of detecting attacks (and detection, again, is a 
prerequisite of protection - and thus the two are intertwined). 

So, you still need a method of detecting attacks that is not tied to the 
target system which, once it's compromised, can't be trusted for anything. 

That is, of course, unless you've found a way of protecting against 
attacks that you don't know have happened - in which case I'd also like 
to know how that can be.

> You have to understand that detecting an attack does not protect your
> network/system against this attack, since a NIDS sensor is totally
> passive. And intrusion prevention systems are getting "funny" as soon as
> you encounter false positives.
>  
I completely understand that NIDS is a passive technology.  It won't 
protect your network for you - but it's an essential component in a 
comprehensive defense strategy.

> Use sandboxing software, e.g. systrace. It works pretty well on a number
> of Unix-like operating systems.
>
>  
Yes, but sandboxing software is itself not without it's own issues and 
holes.  It's not a be-all, end-all solution and it's irresponsible to 
portray it as such.  Sure, use sandboxing software, that's great!  But 
you still have to detect attacks against the box.

For instance: if you have a web app that has an online user information 
database that is used by the web app.  You can sandbox the processes to 
your hearts content, but the sandboxed app still needs access to the 
data, so the data is available from within the sandbox - in this case, 
your sandbox has done nothing but sit there.

The ultimate point I'm trying to make is that there is no single 
solution to protecting systems.  There is no box that can't be 
penetrated and there is no box with a red flashing light that sits in 
the corner and magically detects crackers.  Until such a product exists, 
and it probably never will, you will still have to use tools to detect 
attacks and attempt to mitigate them using the detection mechanism.

         -Barry





---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------