IDS mailing list archives
NADS ( was RE: IPS comparison)
From: "Joseph Hamm" <jhamm () lancope com>
Date: Tue, 30 Aug 2005 23:11:08 -0400
Hassan, You make some good points, but I'd like the opportunity to clear up a few things about my NADS:
IMHO comparing pure play behavior detection to IPS is like comparing
apples and oranges. I couldn't agree more. I spoke up because Stefano brought up the topic of anomaly detection. One thing that does bother me is how IPS has been painted as a "magic bullet" by vendors (and even the press). IPS works great at the perimeter or other "choke points" in the network. However, in speaking with customers, it is too costly to deploy in a scenario that can give you adequate network visibility or proper blocking capabilities inside your organization. It should remain a perimeter solution, placed in a strategic location to protect key assets (example would be a group of critical servers), or perhaps one day merged into your network infrastructure (perhaps the future as painted by Tippingpoint and 3com).
NADS appears to be more similar to the old sniffer technology with the
added feature of /possibly/ giving better clues
as to the cause of the anomaly from a security perspective whereas the
old Network General style explains from network
problem perspective.
Yes. NADS gives much of the value of traditional network troubleshooting tools like Sniffer. But this is only a fraction of its capabilities. These systems can gain network info from taps, SPAN/mirror ports, NetFlow, or sFlow. The result of this hybrid approach is a much broader network visibility than traditional security devices such as IDS or IPS can provide (at least for the same costs). The reason you get more visibility with fewer boxes deployed is because these systems can leverage the flow information (NetFlow or sFlow info exported from your routers/switches). You essential turn all of your routers and switches into security probes so you don't have to deploy (purchase and maintain) a box everywhere you want coverage. Many folks don't even know what NetFlow or sFlow is or how it can be used to provide them much needed security information (and save them money).
Protocol anomaly at least looks more promising in the IPS space as the
action capability is there. In my experience, it definitely takes time baselining... but once
baslined, it could be a valuable tool (again when the action component
- read IPS - is added). Yes, baselining takes some time. So does tuning a signature-based product. We should all know by now that IPS is easy to deploy and tune cause they've ripped out all of the signatures and only block on the handful that they know they can block on accurately. Don't get me wrong. With that being said, I still see the value of using IPS to detect and block low hanging fruit. On the other hand, NADS can have full network visibility, understand what is normal activity for hosts, alarm the administrator, and even take blocking action on the administrator's behalf. How does it do this without being inline? It leverages the existing network infrastructure to block attacks...something that is being called "infrastructure IPS". This allows the NADS to find the piece of network infrastructure closest to the threat (router, switch, firewall, etc.) and take blocking action there in order to quarantine the attack. Your IPS can't do that! IDS/IPS can only detect and block once traffic passes the device (which works great at the perimeter). Since a NADS system has complete visibility, it can instruct your infrastructure to take blocking actions and stop internal threats more effectively.
That whole Gartner prophecy of "IDS is dead" was referring to the idea
that detection by itself is just not enough. Maybe behavior detection (NADS) might be good for
forensics... but I'll take IPS wherever I can get it thank you. If one
can't afford IPS... then I guess going the forensics only route is better than nothing. But even >then, pure-play behavior-based solutions leaves the gap of not detecting known bad stuff. As mentioned above, NADS can detect and block malicious activity. And yes, they provide a wealth of forensic information. Lancope provides the last 30 days. As far as detecting known bad stuff, I suggest a hybrid approach. IPS at the perimeter to catch low hanging fruit, IDS internally to detect known attacks, NADS to understand normal behavior and detect/block on threats. Your better NADS can correlate events from signature based IDS. This means that they can weed through the thousands of signature-based IDS events that might be occurring daily and cherry pick those that correlate to a behavioral change from a host. A great example of this would be saving the administrator the time of sorting through 1000 RPC buffer overflow alarms generated by his IDS because his servers were not vulnerable and experienced no behavioral change after the attack. However, the administrator would be presented the one RPC buffer overflow that correlated to a host that went outside of its normal behavior and started scanning other hosts, connected to a remote server on some random port, etc.
btw... even Lancope has signatures (however outdated they may be)... so
even Lancope realizes the value of signatures in the security tool box. They aren't signatures, but yes, we do have behavioral algorithms that look for suspicious activity. And yes, some of these do not require a baseline to determine malicious behavior so in vague terms they could be considered somewhat like a signature. For example, I don't have to have a baseline of a host to know that aggressive scanning on port 445 is bad, port 80 traffic that is not valid http is bad, etc. Hope this clarifies my position a bit. Regards, Joe Joe Hamm, CISSP Senior Security Engineer Lancope, Inc. jhamm () lancope com 404.644.7227 (cell) 770.225.6509 (fax) Lancope - Security through Network Intelligence(tm) StealthWatch(tm) by Lancope, a next-generation network security solution, delivers behavior-based intrusion detection, policy enforcement and insightful network analysis. Visit www.lancope.com. -----Original Message----- From: Seek Knowledge [mailto:aseeker03 () yahoo com] Sent: Tuesday, August 30, 2005 6:58 PM To: Joseph Hamm; Stefano Zanero; Daniel Cid; Focus-Ids Mailing List Subject: RE: IPS comparison IMHO comparing pure play havior detection to IPS is like comparing apples and oranges. NADS appears to be more similar to the old sniffer technology with the added feature of /possibly/ giving better clues as to the cause of the anomaly from a security perspective whereas the old Network General style explains from network problem perspective. Protocol anomaly at least looks more promising in the IPS space as the action capability is there. In my experience, it definitely takes time baselining... but once baslined, it could be a valuable tool (again when the action component - read IPS - is added). That whole Gartner prophecy of "IDS is dead" was referring to the idea that detection by itself is just not enough. Maybe behavior detection (NADS) might be good for forensics... but I'll take IPS wherever I can get it thank you. If one can't afford IPS... then I guess going the forensics only route is better than nothing. But even then, pure-play behavior-based solutions leaves the gap of not detecting known bad stuff. btw... even Lancope has signatures (however outdated they may be)... so even Lancope realizes the value of signatures in the security tool box. Regards, Hassan Karim, CISSP --- Joseph Hamm <jhamm () lancope com> wrote:
Fact is, anomaly detection is so rare that it'salmost unexistant in the commercial products, except for limited formsof "protocol anomaly detection" and for Arbor'speakflow technology. Not true! The only reason this space hasn't gotten as much attention over the last few years is cause everyone was busy buying signature IDS and now IPS solutions. Pure Network Anomaly Detection players: Arbor Lancope Mazu Q1 Labs (All of these have been around for several years despite the lack of industry attention to this space. Am I missing any new ones?) Also, for a recent article on network anomaly detection systems (NADS), check out this month's Information Security Magazine (cover story). The NADS space (this is only the latest acronym used to describe this group of products), is starting to get more attention and press coverage. You will also find some articles that call these products NBAD (Network Behavior Anomaly Detection) solutions. Many security companies can detect "anomalies" in some form. Almost every security vendor has the word "anomaly" in their marketing literature. You need to understand what they mean by an "anomaly" and
how they detect them. "protocol anomaly detection" and "network anomaly detection" are two different things although detecting network anomalies can include protocol anomalies as well. An IPS is a point solution, usually has limited network visibility (unless you spend a fortune and deploy them
everywhere), and can only perform protocol anomaly detection (from what I've seen). In order to have the best NADS, you need complete network visibility and an understanding of what is "normal" on your network. Rolling out NADS generally requires less appliances than IPS (read less cost) because one box can gather network info from multiple SPAN ports, network taps, or get NetFlow/sFlow feeds from remote routers/switches. Kind regards, Joe Joe Hamm, CISSP Senior Security Engineer Lancope, Inc. jhamm () lancope com 404.644.7227 (cell) 770.225.6509 (fax) Lancope - Security through Network Intelligence(tm) StealthWatch(tm) by Lancope, a next-generation network security solution, delivers behavior-based intrusion detection, policy enforcement and insightful network analysis. Visit www.lancope.com. -----Original Message----- From: Stefano Zanero [mailto:s.zanero () securenetwork it] Sent: Monday, August 29, 2005 6:01 PM To: Daniel Cid; Focus-Ids Mailing List Subject: Re: IPS comparison Daniel Cid wrote:This "anomaly" detection will only detect 0-dayexploits for knownvulnerabilities.A zero-day exploit is a curious marketing thing. You suddenly redefine
a difficult problem (catching zero-days) as a rather simpler problem (create signatures that actually describe the vulnerability, which is what any signature worth your licensing cost should do). So, presto!, you can rush up and put out some rather nice marketing material on it. Fact is, anomaly detection is so rare that it's almost unexistant in the commercial products, except for limited forms of "protocol anomaly
detection" and for Arbor's peakflow technology. Best, Stefano Zanero --------------------------- Secure Network S.r.l. www.securenetwork.it
------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Send instant messages to your online friends http://uk.messenger.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- NADS ( was RE: IPS comparison) Joseph Hamm (Aug 31)
- Re: NADS ( was RE: IPS comparison) Seek Knowledge (Aug 31)
- Re: NADS ( was RE: IPS comparison) Stefano Zanero (Aug 31)
- Re: NADS ( was RE: IPS comparison) Iván Arce (Aug 31)
- <Possible follow-ups>
- RE: NADS ( was RE: IPS comparison) Joseph Hamm (Aug 31)