Re: How to choose an IDS/FW MSS provider

[Richard Bejtlich <taosecurity () gmail com>]

On Sat, 12 Mar 2005 10:11:44 -0500, David W. Goodrum <dgoodrum () nfr com> wrote:
> But, you're missing the point.  What I'm saying is that the two
> technologies are merging where appropriate, and that it is a GOOD thing,
> even for large enterprises, not just small ones.   

David,

I'm not missing the point.  I'm making an entirely new one.  (In
reality, my viewpoint is a decade or more old, but vendors and pundits
have apparently forgotten it.)

You have to be able to detect an attack to stop it.  Layer 3 firewalls
detect attacks by inspecting layer 3 headers for prohibited IP
addresses or other IP header features.  Layer 4 firewalls detect
attacks by inspecting layer 4 headers for prohibited ports, flags, and
so on.  "Layer 5" firewalls detect attacks by tracking sessions. 
Layer 7 firewalls (aka IPSs) detect attacks by inspecting layer 7
information for prohibited content, protocol inconsistencies, etc. 
Once detected, firewalls block attacks.

I welcome all advancements that make smarter access control decisions.
 We certainly need them in a world where most hosts (often Windows)
can't independently defend themselves!

Attack detection, whether for alerting ("IDS") or blocking ("IPS"),
can be circumvented.  This is not a slam on vendors (much smarter than
me), but an acknowledgement of the difficulty of the problem set.

Almost every incident response I have performed took place at a
facility with an IDS or IPS deployed.  Often, neither device had
anything useful to say about the incident.

When you realize this, the natural next step is to use an access
control device to limit what you can and deploy an audit device to
keep track of everything else.  Forget about "intrusion" or "attack"
detection -- simply record everything that happens.  You never know
what piece of information will yield the clue to investigating an
incident.

I have not seen a single commercial IDS or IPS perform the sort of
network audit needed for post-mortem incident response.  If either
device is bypassed, the security staff has nowhere to turn.

I do not want a single device responsible for both access control and
network audit.  When an intruder beats a "converged" device, the
defender becomes completely blind.

These realities form the heart of my network security monitoring
theory.  I don't think about "intrusion detection" or "intrusion
prevention."  I think in terms of indications and warnings (usually
via an "IDS") and policy enforcement (via an access control device).

Sincerely,

Richard

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------