RE: INtrusion Detection

[Alfred Huger <ahuger () securenetworks com>]

On Thu, 19 Feb 1998, Gary Crumrine wrote:

> OK Tom, you have managed to poke holes in every product on the market...now 
> how do you propose we fix the problems?  The need is definitely there, no 
> one will argue that...so what is a guy/girl to do?  Are you suggesting that 
> we go without anything?   

Gary, 

The paper was written to define the security posture of network based IDS
systems, which IMO it did quite well. The next logical step is to discuss
possible solutions, hence the discussion on this list. 

The paper at no point made a suggestion that current network IDS should be
scrapped. It pointed out (and accurately so) that the current IDS systems
studied carried some disasterous flaws which precluded them from operating
as advertised. 

> That even in the limited functionality presented 
> by these products, that they should not be used at all?   I disagree. 
>  Anything that enhances the security of someone's system is welcome, and 
> adds value.

Sure, I think that both Tom and I agree with you that current net based
IDS systems raise the bar against anklebiters. This however would be cold
comfort to an organization with data important enough to attract attention
from someone other than your standard script kiddie. 

On the whole, it raises your ability to react, this is not something we
argue against in our paper. 

> Nothing is 100% safe.  A determined, knowledgeable group can take out 
> anything.  I would think that any tool that does provide increased security 
> is viable.  Do they work in all cases?   Nope    Do they offer false 
> security?  Only to the unknowing.  

Only to the unkowing, that's a curious statement. I submit to you that
anyone who get's broken into has a security flaw present that they are
unaware of. Education counts for very little when you consider the rapid
spread of vulnerabilty information and toolsets in the underground. Can
you keep up? Unlikely. 

Having software with flaws deployed across your network is an unfortunate
but accepted risk when doing business on the net. However, one would hope
that your software which is supposed to be written for security, is
secure. You would hope your vendor put some due dilligence into their
designs. 


> I think the IDS products we see on the 
> market today represent where the Firewall industry was a few years ago. 

Commercially perhaps, technology wise I would disagree. I have yet to see
any papers describing how the base technology behind application
level (or filtering) firewalls is broken. Net based IDS is clearly at best
severely problematic, at worst horribly broken.
 
>  Look where that is now, multi billion dollar industry, and they still can 
> not say that you are 100% safe.  

Of course they can't. The word 'liability' comes to mind. I think it's a
safe assertion to say that Firewalls and net based IDS are differant
creatures, and comparing them as far as 'who's safer' is probably not
terribly accurate or usefull.

> With the advent of the network appliance 
> products coming to market these days, the deathknell is sounding.

Perhaps, but I think that too is unlikely. Firewalls are not on the way
out the door yet. Far too many have been deployed, and far too much money
has been put into positioning them in the market. There may be a day when
the technology is not long for this world, but I do not think it's now.

Although, now that Cisco purchased Wheelgroup anything could happen I
suppose. 

> You are right in that some IDS advertisements do stretch the limit a bit, 
> but no more than the claims by the firewall vendors.  

Stretch the limit a bit? Marketers and sales people perform heinous acts
of dishonesty when attempting to push their products on customers. This
however is not exclusive to this industry, it's a prevalent problem
throughout any industry. 

> Pricing seems to 
> indicate that they feel the products are right up there with firewalls.

This is entirely dependant on whose IDS you are talking about. The
majority of the net based IDS systems out there are quite a bit cheaper
than your standard firewall. 

>  I believe in this so much, that I think you will see a big push for
> LEADING Firewall technology companies will begin to incorporate this
> functionality 
> in their product as a way of marketing their product.

Yes, absolutely. This in no way validates the technology though. Only the
markets desire for it.

> The bottom line is that what ever you are talking about, be it firewall 
> technology, or IDS systems, OS's whatever, it comes down to the person who 
> is configuring the beast and whether they exercise due diligence in their 
> work.  

This I feel is not a realistic expectation. The problems found in these
IDS systems would not have been found by your average end user. He/She
could have been informed enough to write volumes on comp-sec, unless they
were capable of performing their own packet manipulation studies against
the product they would have had no idea about the shortcomings they have. 
This not only implies a signifigant technical level of programming, it
also implies a signifigant amount of research time. SNI ceded a little
over a month for our research. I am not fammiliar with too many
organizations who can afford to put that much reseach time into a single
purchasing decision. 

> These IDS products are nothing more than a tool to be used in a 
> total threat management program.  If you got the bucks to spend, I think 
> the return on the investment is good.

I guess that depends on what your protecting, and who out there want's to
get their hands on it. 

/****************************************************************************
Alfred Huger                                    http://www.secnet.com/ballista
Project Director                                ahuger () secnet com
Secure Networks Inc. (SNI)
*****************************************************************************/