IDS mailing list archives
RE: True definition of Intrusion
From: "Golomb, Gary" <GGolomb () enterasys com>
Date: Tue, 30 Dec 2003 15:43:56 -0500
Hello,
Hi Craig (and list)... It's been a while... :)
Here is the some of the attack patterns type signatures being classified by many vendors who are no pushin Intrusion Prevention attack detection FIN without ACK Attack FTP Buffer Overflow attack ICMP Flood Attack ICMP Fragment Attack ICMP Source Session Limit ICMP Sweep Attack Invalid URL Attack IP Fragment IP Land Attack IP Loose Source Record Routing IP Record routing IP Security Option IP Strict Source Record Routing IP Timestamp Option Large ICMP Packet Attack Ping of Death Attack POP2 Buffer Overflow Attack POP3 Buffer Overflow Attack Port Scan Attack SYN Flood Attack SYN Fragment Attack TCP with No Flag Attack UDP Flood Attack UDP Land Attack UDP Source Session Limit Unknown IP protocol None of the listed above, should be classified as Intrusion Prevention, since they are really in essence "glorified" Intrusion Detection class patterns. Most of the listed aboveWhy not? If it is a mechanism of intrusion, and can be stopped before successful execution, then it has been prevented.
Out of context, no one would disagree. How could anyone argue that stopping activity well before it becomes an "intrusion" is not intrusion prevention?! However, in context ("context" being the above list of "intrusions" [biting cheek, really hard]), is a different story. Paraphrasing what Mark said - most all of those "attacks" (using that term as loosely as possible) can be trivially mitigated in most routers and switches, including an $80 D-Link. This kind of brings us to the big joke of network IPS as it stands today ("IPS" being network-based enterprise class perimeter-focused solutions that are typically discussed). Most people *assume* that since an IDS can audit 1000's of different types of potential attacks, it would follow that an IPS can stop the same number. IPS vendors routinely capitalize on naive assumptions along these lines, and before you know it, you have organizations like Gartner echoing vendor marketing jingles without actually performing some sort of validation testing themselves. I *LOVE* how every term in the vendor-supplied list at the start of this email ends with the word "attack"!!! Really think about that one for a minute... Have you ever pulled back the hood of an IPS to see what RELEVANT activity it *really* will and will not stop? Many of these [network] devices are great at stopping "recon" and other "early" activity. However, they also are making the assumption that hackers follow the methodologies described in Hacking Exposed and related introductory security texts. The only people I routinely see employing such a structured approach to hacking are security people - not hackers. And yes, before any IPS zealots jump down my throat, there are other types of activities that can be stopped (besides recon), but on *no* scale *anywhere* near the number of activities that can be audited with an IDS - good, bad, or indifferent. And forget structure for a minute... Stops "IP Land Attack" AAAHHHHH! Can I really become a millionaire by developing a HIPS for Windows for Workgroups 3.11??? Ok, that's a little extreme (however, still taken from the list above), but does "significance" have any meaning to anyone these days? So is the ability to stop a few attacks acceptable enough? Guess it entirely depends on your threshold. From the perspective of a vendor, I'd don't want to be responsible for developing a product that is deliberately limited - vendors should be developing the most thorough solutions conceivable - which means developing solutions around the threats, not marketing messages. It's unfortunate how blatantly this trend is declining.
I tend to agree, "true" Intrusion Prevention could be defined as "alien" technology, since known of the vendors can agree to what Intrusion Prevention really is. I guess marketing folks/marketing communication folks will have something to do for the next few months and figure out what "snake oil" they can assemble.Vendors don't have to agree on anything and rarely do. The customer decides with their pocketbook.
I owe you a beer.
technologies just reported problems if you were lucky). With the widescale proliferation of worms, e-mail scams, etc. the benefit is becoming very obvious to many people that you need intrusion
prevention
technology.
Is preventing each of those threats at the location where an IDS has historically been placed the best solution? I just snipped a bunch of text that points to "no" being the answer. We keep going back to dealing with these threats at the host, gateway, and other devices. In other words, more secure devices (network infrastructure devices as well as end systems). That's not IPS - that's a better and more secure system design from the beginning, and it doesn't require additional cost/administration overhead for perimeter-centric solutions. Then why have an IDS? Auditing, log reduction, tracking, and forensics to name a few reasons. It's not that IDS was misrepresented from the beginning (as others stated early in this thread). I clearly remember leaning to use IDS years ago as a network auditing, surveillance, reporting, and forensics tool. I think some of the newer vendors have mis-sold themselves from the beginning, and that has created a host of new problems for vendors and end-users alike. Anyways... This thread can go in circles for weeks, and I bet $10 it won't stop until it's eventually killed. Since everyone has a different threshold (or understanding, which is worse when it's a vendor in question) for what they consider an "attack," the definitions for "intrusion" will be pretty different too. Because of that, good luck trying to get consensus on what a prevention "system" actually is - especially with vendors trying to push sales on this list. -gary --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: True definition of Intrusion Golomb, Gary (Dec 30)
- RE: True definition of Intrusion Craig H. Rowland (Dec 30)