Re: Intrusion Detection

[tqbf () secnet com]

> What are the kind of Intrusions an Intrusion Detection software can detect? What all it cannot? Also, specify the 
> reasons.

Right now? 

You wrote firewall-wizards in order to get a realistic appraisal of the
capabilities of intrusion detection systems. That's what the value of this
list is. If you want to hear the marketing appraisal of ID systems, I
suggest you consult vendor websites. The market leaders include:

        ISS, for RealSecure, at http://www.iss.net
        Axent, at http://www.axent.com
        Cisco, for NetRanger, at http://www.cisco.com
        AbirNet, for SessionWall-3, at http://www.abirnet.com
        SDTI, for Kane Security Analyst, at
                        http://www.securitydynamics.com

As far as the real world goes, my 2 second summary of the currently
available products is "they will catch a significant percentage of the
attacks that don't try to evade detection". There are as many different
ways to build an IDS as there are words in this message, and none of them
have been adequately tested yet. We don't even know HOW to test them yet. 

What I think we do know is this: the most popular products are
"network-based misuse detectors", meaning that they attempt to detect
known patterns of misuse by examining network traffic. All of the current
network misuse detectors rely on passive network traffic analysis
("sniffing") to collect information to analyze. 

These systems are currently known to have serious flaws that have not been
completely addressed yet. The specifics are fairly technical, but they
amount to the fact that a skillful attacker can create streams of network
traffic that can't be accurately analyzed by network ID systems. The
details of some of these problems are available in two papers, one from
Vern Paxson at the Network Research Group of LBL, and one from myself and
Timothy Newsham at Secure Networks, Inc. 

Mr. Paxson's paper is:

        Paxson, V., Bro: A System for Detecting Network Intruders in
        Real-Time. Proceedings of the 7th USENIX Security Symposium, San
        Antonio, TX, January 1998.

        ftp://ftp.ee.lbl.gov/papers/bro-usenix98-revised.ps.Z

Our paper is:

        Ptacek, T. and Newsham, T., Insertion, Evasion, and Denial
        of Service: Eluding Network Intrusion Detection --- an SNI
        Technical Report, January, 1998.

        http://www.secnet.com/papers

My advice is that it's a good idea to deploy these systems if you're aware
of their limitations (which are currently fairly significant). It is
likely that an IDS will give you a reasonable amount of information about
casual attacks on your system, which is valuable. However, it would be a
very poor idea to depend on an intrusion detection system, especially if
you are relying on it to configure and maintain access control devices
(like firewalls). 

-----------------------------------------------------------------------------
Thomas H. Ptacek                                        Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf                           "mmm... sacrilicious"