Re: NADS ( was RE: IPS comparison)

[Iván Arce <ivan.arce () coresecurity com>]

Joseph Hamm wrote:
> > This completly rules out host-based IPS or any other endpoint security mechanism, which IMHO is sub-optimal for any
> > serious security infrastruture innitiative.
>
>  
> I definitely see the value of host-based agents, however, they have their own challenges.  Cost of deployment on 
> every host, difficulty to manage and update, introduction of another attack vector (blackice incident).  I should 
> have included this technology though.  Sorry for the omission.
>
>
> > I guess at this stage the post starts to diverge towards a pitch for NADS as the true "magic bullet" that you mention
> > being attributed to IPS these days.
>
>
> LOL! Ooops!  Didn't mean for it to come across that way, I'm just passionate about the technology. No "magic bullet" 
> here....just a technology that fills a lot of security gaps.
>
>
> > To generalize further I would say that a NADS will not detect any attack that does not differ significantly from what 
> > it >perceives as normal (be it learned or predefined behavior) and in particular it will be crippled when coping with 
> > covert >channels.
>
>
> This assumes that the only method of detection is variation from a baseline which is only a small part of the system. 
>  Covert channels are easily detected.  Think about application verification and changes in entropy.

Nope, I did not assume that. However, I did assume that any NADS
security product uses a model of reality which is basically an abstract
simplification of things seen in reality in order to make the problem
tractable under certain assumptions. When a given attack goes around
those assumptions and outside the established model, then the technology
that uses it does not prevent or even detect the attack.

Ok, so I thought about application verification and "changes in entropy"
It is not clear to me what you imply with this, entropy as in its most
strict definition in terms of information theory (ie.
http://en.wikipedia.org/wiki/Information_entropy) or something else?

Now think about differential power analysis, electromagnetic emissions,
timing analysis, http request "smuggling", ip_id, tcp_seq_num, RPC XID,
and/or DNS query/answer id "modulation", data encryption and
compression, network protocol "idle" or seemingly "idempotent" packets
and transactions, image file formats, application-layer protocol
definition inconsistencies,  etc. (the list can go on-and-on forever)

So (to me) a good analysis would be not only to understand the things
that NADS technology CAN do best but also those that it CAN NOT do and
those that it CAN DO in a sub-optimal manner.

I understand your enthusiasm and I do think NADS technology can be
effective today and that it has a promising future but I doubt it will
ever achieve "completness" in terms of attack vector coverage.

Whenever it is complete *enough* today is a judgement call.

-ivan

---
To strive, to seek, to find, and not to yield.
- Alfred, Lord Tennyson Ulysses,1842

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce () coresecurity com
www.coresecurity.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------