Re: How to choose an IDS/FW MSS provider

[Richard Bejtlich <taosecurity () gmail com>]

On Fri, 11 Mar 2005 10:14:23 -0500, David W. Goodrum <dgoodrum () nfr com> wrote:
> Many IDS vendors are integrating Firewalls into their product, just like
> Firewall vendors are trying to catch up on the Layer 7 analysis.  Both
> types of technologies are coming tgether to some degree. 

I understand that market pressures and misguided research
organizations are forcing access control and audit functions to
converge.  This is a shame.  I wrote an article called "Considering
Convergence?" that recommends keeping access control and audit
separate. [0]

Smaller organizations lacking the resources to implement defense in
depth are better off buying a single "do-it-all" appliance, if the
alternative is implementing little or no security.  Larger
organizations with the resources to field multiple technologies,
follow coordinated policies, and train security staff will be more
secure with distinct firewalls and intrusion detection systems.

> What I'm getting at is that Defense in Depth still applies, even though
> these two technologies seem to be coming together rather quickly.

I agree.  Any device making an access control decision is a firewall. 
This includes router ACLs, layer 3-4 "firewalls," and "IPSs." 
Responsibility for network audit should remain with the IDS.

Ross Anderson's exceptional book 'Security Engineering' recommends
avoiding "convergence" when he talks about bookkeeping and fraud:

"With functional separation of duties, two or more different staff
members act on a transaction at different points in its path.  The
classic example is corporate purchasing.  A manager makes a purchase
decision and tells the purchasing department; a clerk there writes a
purchase order; the store clerk records the arrival of goods; and
invoice arrives at accounts; the accounts clerk correlates it with the
purchase order and the store receipt, and cuts a check; the accounts
manager signs the check.

The manager now gets a debit on her monthly statement for that
internal account; her boss reviews the accounts to make sure the
division's profit targets are likely to be met; the internal audit
department can descend at any time to audit the division's books; and
when the external auditors come in once a year, they will check the
books of a randomly selected sample of departments." [1]

The current market path is collapsing all of these decisions and
responsibilities into a single point; in business, the result is
massive undetected fraud.  An attack bypassing a "converged appliance"
will be unfiltered, undetected, and destructive.  Incident response
will be the only remaining strategy, and the responders will have
little or no evidence to analyze and act upon.

Sincerely,

Richard

[0] http://www.taosecurity.com/publications.html
[1] 'Security Engineering' by Ross Anderson (New York, NY: Wiley,
2001), p. 190.  http://www.cl.cam.ac.uk/users/rja14/

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------