Re: IDS vs Application Proxy Firewal

[Ashish Kamra <akamra () purdue edu>]

My two cents on this issue as a Phd student working on an AD system for 
a DBMS (who just wants get his Phd at the moment and not get into a 
debate :-)).

I was at the Recent Advances in Intrusion Detection Conference (RAID 
2008) recently where one of the topics for a panel discussion was "Life 
after antivirus". The main take-away from the discussion was that even 
top anti-virus companies are looking at whitelisting approaches to 
augment the existing blacklists in order to win the battle against ever 
increasing malware variants. They propose to come up with an combination 
of whitelists, blacklists and reputation based systems. Here is the link 
to one of the relevant presentations:

http://www.ll.mit.edu/RAID2008/Files/3-MartinFrechette-AVTalk.ppt

and to others http://www.ll.mit.edu/RAID2008/panels.html

Regards,
Ashish


Stefano Zanero wrote:
> Omar Herrera wrote:
>
> > Well formally yes, you are right, but you say you are whitelisting
> > /blacklisting from the point of view of whom, the vendor of the security
> > control or the user?
>
> In the case of anomaly detection systems, from the point of view of the
> network or system where the system is deployed, as almost all systems of
> this kind perform learning.
>
> > bad? Let us say for example that using FTP is bad for a company and good
> > for another, for any reason you want. You run your AD tool but the
> > activity is not present for whatever learning time frame you want. Then
> > you see the activity shows up in both cases, what will the tool say and
>
> Nope, you are thinking that learning happens somewhere else than on the
> deployment site. This is not the case.
>
> > how will act on it? The only way it won't be wrong in any of the two
> > cases is to tell the user "something unusual is happening and let
> > him/her decide.
>
> Which is what any detector will do, anomaly or misuse based.
>
> > they put the time and resources). The whole idea of white listing is to
> > get a complete set of known good activities, so that you can safely ban
> > "everything else". 
>
> Which is the whole idea of firewalling. The fact that the perimeter is
> coming down crashing and burning should tell a tale on this.
>
> > if people take the time and effort to make a risk assessment and
> > separate things (DB there, card processing system here, Web front
> > application over there, and not everything in the same place)
>
> Yes, on systems that are perfectly secure and designed to be perfectly
> secure from the ground up, intrusion detection is pretty useless, I agree :)
>
> On the other hand, we usually think of real world systems ;)
>
> > same problem, and it is not just ploymorphism. Fred Cohen demonstrated
> > formally that no software can automatically decide if another piece of
> > software previously unknown is malware or not.
>
> Please, don't get all computer-theoretical on me. Cohen (and a lot of
> other people, actually) reasoned on the basis of the halting problem,
> and of completeness of computation. It is extremely interesting, but has
> really nothing to do with what we're discussing here.
>
> > Well, I would like to be wrong :-). If you have something that can
> > automatically learn without false positives or negatives
>
> Oh, I can provide you with thousands of prototypes which work without
> false positive, OR without false negatives :)
>
> If you want neither, well, that's something you cannot have. Any
> learning system will let you trade off between those values.
>
> > complete white list (from the users perspective) or gives the same level
> > of security (with a formal proof) using another approach
>
> The point is that you cannot have white list, so setting them as a
> metric for existing security systems does not make any sense.
>
> Best,
> Stefano
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
> to learn more.
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------