Re: IDS is dead, etc

[Barry Fitzgerald <bkfsec () sdf lonestar org>]

Likewise Bob, it truly is an interesting branched discussion and I think 
that we're heading in the direction that this discussion should really 
go in.  If it's Gartner's contention that firewalls will obsolete IDS', 
then how can this happen?  Well, the answer is: only in an ideal world.  
And as we all know, utopias are works of fiction unless they exist in 
environments of strict control - in which case, an ideal world ceases to 
be utopian for everyone and becomes simply the utilitarian dream of a 
singular entity.  Since we all interact on a peer basis on the internet, 
such measures of strict control would ultimately be problematic, and 
hence the ideal world is unlikely ever to be.

        Let me say this: in defense of Todd's now clarified point - 
there is some value in discussing ideal situations.  (People who know me 
know that I am a master in such acts of mental <insert questionable 
verbiage here>... heh)  How can this be?  Well, perhaps there are better 
ways to shape traffic or to do low-level protocol analysis (deep packet 
inspection, protocol anomoly detection and whatnot) that can assist in 
reducing *SOME* of the known vulnerabilities.  There's nothing 
earthshattering in this.  Protocol anomoly detection is really nothing 
new, it's actually the same thing as validating I/O before it's 
processed - only it's applied to a network (Don't take this statement 
too seriously, it's a loose comparisson to the basic idea) setting.  And 
certainly one of the hallmark arguments for Free Software/Open Source 
Software is that it allows you a finer degree of control over your 
environment.

       So, the question, in my mind - while we're discussing ideal 
situations and using firewalls to control your environment such that 
exploitation becomes most difficult - is what opportunities are 
manifested to do this kind of I/O validation and shaping on both the 
side of entering the network and also verification on the service/daemon 
end.  The firewall scenario really only works if it's correlated with 
what the daemon is tested to expect, again - in an ideal world.  You 
have to know what kind of data you want to expect before you can filter 
all other data out - and be able to enforce that and still be functional.

       Of course, the real clincher in this argument is that the 
firewall becomes a form of stateful in-line IDS since it's pattern 
matching for validation in the first place.  Hence we've never really 
moved beyond IDS, we've simply changed which box it's running on and 
changed the intent of it's operation.  The technology is still very much 
the same even in this ideal situation, and must still be deployed.  
You're still inspecting packets looking for known payloads (for lack of 
a better term). 

      So, ultimately, discussions of the ideal will help advance IDS 
and firewall technology so that we can better determine what kind of 
traffic we're going to see in the future.  But, perhaps more important, 
there may actually be situations where these types of ideal networks can 
be built (I'm thinking of things like ATM networks and systems that 
should ALWAYS take the same kinds of traffic in the same format), and 
for these types of networks - we absolutely should think about this - it 
advances the security of at least that part of the infrastructure.

      Thanks for reading this far if you have.  All comments, as usual, 
are welcome.

                     -Barry


Bob Buel wrote:

> Gentlemen:
>
> Being a spectator to this discussion, I have to comment the obvious,
> that in security, there can be no "perfectly implemented" anything. As
> long as there is access to a system, there can be an attack. Your
> firewall could be hacked. You can't say that there's not some
> vulnerability that will be in tomorrow's news. You can't even say that
> you won't have a hormonal inbalance on Monday morning, and alter that
> "perfect implementation". How can you make your systems safe? Go to your
> switch now and unplug all servers from their jacks. Are they safe now?
> No, of course not, since they can still be accessed via console. Ok,
> turn off the server, and put it in a vault behind a 7 foot concrete
> bunker. Is it safe? Nope. Still can't say that. (Verisign unplugs their
> root server, use a bunker, alarms, armed guards, and still won't ever
> say it's safe!)
> Sure, the odds are better, but whether or not your system will actually
> be attacked is an equation byproduct of the attacker's motivation and
> your safeguards. 
> Now, if you will excuse the dialectical silliness of this rant, the
> purpose of an NIDS is now clear--it is a reporting tool of what actually
> did or try to happen on that network. 
>
> Much as I appreciate the practicality of what you are saying, and agree
> totally with it in an ideal sort of way, I can never say those thoughts
> out loud where someone might hear it, because it is not a perfect world,
> never will be, and I can't afford not to keep a watchful eye for
> someone, sufficiently motivated, who will do the impossible!
>
> Good day, gentlemen one and all,
> and I have thoroughly enjoyed your discussion!
>
> Bob
>
>
>  



---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------