IDS mailing list archives
Re: IDS is dead, etc
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Fri, 08 Aug 2003 13:18:12 -0400
Likewise Bob, it truly is an interesting branched discussion and I think that we're heading in the direction that this discussion should really go in. If it's Gartner's contention that firewalls will obsolete IDS', then how can this happen? Well, the answer is: only in an ideal world. And as we all know, utopias are works of fiction unless they exist in environments of strict control - in which case, an ideal world ceases to be utopian for everyone and becomes simply the utilitarian dream of a singular entity. Since we all interact on a peer basis on the internet, such measures of strict control would ultimately be problematic, and hence the ideal world is unlikely ever to be.
Let me say this: in defense of Todd's now clarified point - there is some value in discussing ideal situations. (People who know me know that I am a master in such acts of mental <insert questionable verbiage here>... heh) How can this be? Well, perhaps there are better ways to shape traffic or to do low-level protocol analysis (deep packet inspection, protocol anomoly detection and whatnot) that can assist in reducing *SOME* of the known vulnerabilities. There's nothing earthshattering in this. Protocol anomoly detection is really nothing new, it's actually the same thing as validating I/O before it's processed - only it's applied to a network (Don't take this statement too seriously, it's a loose comparisson to the basic idea) setting. And certainly one of the hallmark arguments for Free Software/Open Source Software is that it allows you a finer degree of control over your environment.
So, the question, in my mind - while we're discussing ideal situations and using firewalls to control your environment such that exploitation becomes most difficult - is what opportunities are manifested to do this kind of I/O validation and shaping on both the side of entering the network and also verification on the service/daemon end. The firewall scenario really only works if it's correlated with what the daemon is tested to expect, again - in an ideal world. You have to know what kind of data you want to expect before you can filter all other data out - and be able to enforce that and still be functional.
Of course, the real clincher in this argument is that the firewall becomes a form of stateful in-line IDS since it's pattern matching for validation in the first place. Hence we've never really moved beyond IDS, we've simply changed which box it's running on and changed the intent of it's operation. The technology is still very much the same even in this ideal situation, and must still be deployed. You're still inspecting packets looking for known payloads (for lack of a better term). So, ultimately, discussions of the ideal will help advance IDS and firewall technology so that we can better determine what kind of traffic we're going to see in the future. But, perhaps more important, there may actually be situations where these types of ideal networks can be built (I'm thinking of things like ATM networks and systems that should ALWAYS take the same kinds of traffic in the same format), and for these types of networks - we absolutely should think about this - it advances the security of at least that part of the infrastructure.
Thanks for reading this far if you have. All comments, as usual, are welcome.
-Barry Bob Buel wrote:
Gentlemen: Being a spectator to this discussion, I have to comment the obvious, that in security, there can be no "perfectly implemented" anything. As long as there is access to a system, there can be an attack. Your firewall could be hacked. You can't say that there's not some vulnerability that will be in tomorrow's news. You can't even say that you won't have a hormonal inbalance on Monday morning, and alter that "perfect implementation". How can you make your systems safe? Go to your switch now and unplug all servers from their jacks. Are they safe now? No, of course not, since they can still be accessed via console. Ok, turn off the server, and put it in a vault behind a 7 foot concrete bunker. Is it safe? Nope. Still can't say that. (Verisign unplugs their root server, use a bunker, alarms, armed guards, and still won't ever say it's safe!) Sure, the odds are better, but whether or not your system will actually be attacked is an equation byproduct of the attacker's motivation andyour safeguards. Now, if you will excuse the dialectical silliness of this rant, thepurpose of an NIDS is now clear--it is a reporting tool of what actuallydid or try to happen on that network.Much as I appreciate the practicality of what you are saying, and agree totally with it in an ideal sort of way, I can never say those thoughts out loud where someone might hear it, because it is not a perfect world, never will be, and I can't afford not to keep a watchful eye for someone, sufficiently motivated, who will do the impossible! Good day, gentlemen one and all, and I have thoroughly enjoyed your discussion! Bob
---------------------------------------------------------------------------Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
Current thread:
- Re: IDS is dead, etc, (continued)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- RE: IDS is dead, etc Security Conscious (Aug 11)
- Re: IDS is dead, etc Jason Haar (Aug 11)
- Re: IDS is dead, etc Frank Knobbe (Aug 11)
- RE: IDS is dead, etc Bob Buel (Aug 11)
- Re: IDS is dead, etc Barry Fitzgerald (Aug 11)
- Belaboring the point of FPs Paul Schmehl (Aug 12)
- Re: Belaboring the point of FPs Martin Roesch (Aug 13)
- Message not available
- Off-Topic: perfect firewall (was Re: IDS is dead, etc) Bennett Todd (Aug 11)
- RE: IDS is dead, etc Omar Herrera (Aug 13)
- Re: IDS is dead, etc Jonathan Rickman (Aug 15)
- Re: IDS is dead, etc Paul Schmehl (Aug 19)
- Re: IDS is dead, etc Jonathan Rickman (Aug 21)