Firewall Wizards mailing list archives
RE: INtrusion Detection
From: Alfred Huger <ahuger () securenetworks com>
Date: Thu, 19 Feb 1998 11:11:22 -0700 (MST)
On Thu, 19 Feb 1998, Gary Crumrine wrote:
OK Tom, you have managed to poke holes in every product on the market...now how do you propose we fix the problems? The need is definitely there, no one will argue that...so what is a guy/girl to do? Are you suggesting that we go without anything?
Gary, The paper was written to define the security posture of network based IDS systems, which IMO it did quite well. The next logical step is to discuss possible solutions, hence the discussion on this list. The paper at no point made a suggestion that current network IDS should be scrapped. It pointed out (and accurately so) that the current IDS systems studied carried some disasterous flaws which precluded them from operating as advertised.
That even in the limited functionality presented by these products, that they should not be used at all? I disagree. Anything that enhances the security of someone's system is welcome, and adds value.
Sure, I think that both Tom and I agree with you that current net based IDS systems raise the bar against anklebiters. This however would be cold comfort to an organization with data important enough to attract attention from someone other than your standard script kiddie. On the whole, it raises your ability to react, this is not something we argue against in our paper.
Nothing is 100% safe. A determined, knowledgeable group can take out anything. I would think that any tool that does provide increased security is viable. Do they work in all cases? Nope Do they offer false security? Only to the unknowing.
Only to the unkowing, that's a curious statement. I submit to you that anyone who get's broken into has a security flaw present that they are unaware of. Education counts for very little when you consider the rapid spread of vulnerabilty information and toolsets in the underground. Can you keep up? Unlikely. Having software with flaws deployed across your network is an unfortunate but accepted risk when doing business on the net. However, one would hope that your software which is supposed to be written for security, is secure. You would hope your vendor put some due dilligence into their designs.
I think the IDS products we see on the market today represent where the Firewall industry was a few years ago.
Commercially perhaps, technology wise I would disagree. I have yet to see any papers describing how the base technology behind application level (or filtering) firewalls is broken. Net based IDS is clearly at best severely problematic, at worst horribly broken.
Look where that is now, multi billion dollar industry, and they still can not say that you are 100% safe.
Of course they can't. The word 'liability' comes to mind. I think it's a safe assertion to say that Firewalls and net based IDS are differant creatures, and comparing them as far as 'who's safer' is probably not terribly accurate or usefull.
With the advent of the network appliance products coming to market these days, the deathknell is sounding.
Perhaps, but I think that too is unlikely. Firewalls are not on the way out the door yet. Far too many have been deployed, and far too much money has been put into positioning them in the market. There may be a day when the technology is not long for this world, but I do not think it's now. Although, now that Cisco purchased Wheelgroup anything could happen I suppose.
You are right in that some IDS advertisements do stretch the limit a bit, but no more than the claims by the firewall vendors.
Stretch the limit a bit? Marketers and sales people perform heinous acts of dishonesty when attempting to push their products on customers. This however is not exclusive to this industry, it's a prevalent problem throughout any industry.
Pricing seems to indicate that they feel the products are right up there with firewalls.
This is entirely dependant on whose IDS you are talking about. The majority of the net based IDS systems out there are quite a bit cheaper than your standard firewall.
I believe in this so much, that I think you will see a big push for LEADING Firewall technology companies will begin to incorporate this functionality in their product as a way of marketing their product.
Yes, absolutely. This in no way validates the technology though. Only the markets desire for it.
The bottom line is that what ever you are talking about, be it firewall technology, or IDS systems, OS's whatever, it comes down to the person who is configuring the beast and whether they exercise due diligence in their work.
This I feel is not a realistic expectation. The problems found in these IDS systems would not have been found by your average end user. He/She could have been informed enough to write volumes on comp-sec, unless they were capable of performing their own packet manipulation studies against the product they would have had no idea about the shortcomings they have. This not only implies a signifigant technical level of programming, it also implies a signifigant amount of research time. SNI ceded a little over a month for our research. I am not fammiliar with too many organizations who can afford to put that much reseach time into a single purchasing decision.
These IDS products are nothing more than a tool to be used in a total threat management program. If you got the bucks to spend, I think the return on the investment is good.
I guess that depends on what your protecting, and who out there want's to get their hands on it. /**************************************************************************** Alfred Huger http://www.secnet.com/ballista Project Director ahuger () secnet com Secure Networks Inc. (SNI) *****************************************************************************/
Current thread:
- Re: Practical Firewall Metrics, (continued)
- Re: Practical Firewall Metrics Christopher Nicholls (Feb 24)
- Re: Practical Firewall Metrics Bennett Todd (Feb 20)
- Re: Practical Firewall Metrics Leonard Miyata (Feb 20)
- Re: Practical Firewall Metrics...Was: INtrusion Detection Bennett Todd (Feb 20)
- Re: INtrusion Detection tqbf (Feb 18)
- Re: INtrusion Detection Adam Shostack (Feb 18)
- Re: INtrusion Detection Vern Paxson (Feb 18)
- Re: INtrusion Detection Marcus J. Ranum (Feb 18)
- Re: INtrusion Detection tqbf (Feb 18)
- RE: INtrusion Detection Gary Crumrine (Feb 19)
- RE: INtrusion Detection Alfred Huger (Feb 19)
- Re: INtrusion Detection tqbf (Feb 19)
- Re: INtrusion Detection George M. Jones (Feb 20)
- Re: INtrusion Detection Alfred Huger (Feb 20)