Re: INtrusion Detection

[tqbf () secnet com]

> OK Tom, you have managed to poke holes in every product on the market...now 

[ ... ]

> we go without anything?   That even in the limited functionality presented 
> by these products, that they should not be used at all?   I disagree. 

I am not saying ID systems should not be used at all. In fact, I haven't
even said "don't use these broken systems", broken as they are. My point
is simple:

Nothing is 100% secure. Everything has vulnerabilities. It is critical
that people deploying security technology know exactly what those
vulnerabilities are. 

I am also, in a side discussion here, talking about the benefits I see in
ID systems built around proxies, rather than passive monitors. This is a
possible solution to the problem, and it's the only one I'm actually
proposing. Given the choice between a passive and active ID system, I will 
always tell you "go with the proxy", because I don't think the reliability
of passive systems is competitive with that of active systems.

That's about as far as my opinion on this matter goes. I am not an IDS
vendors, and thus don't see a real responsibility on my part to "fix all
the problems" in passive "network grep" products. Any contributions I make
to this thread are due to an interest in the technology, and nothing more.

> anything.  I would think that any tool that does provide increased security 
> is viable.  Do they work in all cases?   Nope    Do they offer false 

This isn't true. Slopping on more and more security software is not always
harmless. For example, look at the "tripwire-port" TCP portscanners that
people are writing (they catch port scans by emitting an alarm when
someone tries to connect to their port). These systems are not only
trivially avoidable, but they can also be easily leveraged to deny service
to the system.

The same thing is true of "reactive firewall" ID systems.

> security?  Only to the unknowing.  I think the IDS products we see on the 
> market today represent where the Firewall industry was a few years ago. 

As an aside:

I don't recall a time where the firewall industry was ever in a situation
where ever product on the market contained serious security problems, some
of which did not appear to be fixeable. 

> You are right in that some IDS advertisements do stretch the limit a bit, 
> but no more than the claims by the firewall vendors.  Pricing seems to 

This is something I completely disagree with.

Vendors of proxy firewalls have a fairly decent basis in fact when they
make claims about the protection their firewalls offer. Nobody has come
forth and publically explained flaws in the technology (other than the
obvious stuff, like the incoming traffic problem). The technology is, to
some degree, proven, and the design is very solid. 

There is really not that much of a reason to believe that a firewall
system, which is the only ingress point into a network, cannot perform
access control.

On the other hand, there are many reasons to believe that passive ID
systems cannot do what they are advertised to be able to do. The product
has much more of a potential for serious problems, because the problem of
reconstructing traffic identically to an arbitrary endpoint in parallel,
real time, is more difficult than the problem of providing proxies only
for valid traffic. 

Morever, all the systems are currently broken! Not a single vendor has
chimed in publically on their website and said "Customer Warning! Our
product is currently vulnerable to a series of problems identified in...". 
The current advertising claim that these systems work AT ALL is false
(in my absolutist perspective), and remains so until the trivial problems
are fixed.

I view a difference in marketing claims that reduces the effective
signature count of an IDS by an order of magnitude (and where all the new
signatures basically represent the same type of attack) as significant. 
I'm surprised that you see this as a "minor marketing stretch". 

> The bottom line is that what ever you are talking about, be it firewall 
> technology, or IDS systems, OS's whatever, it comes down to the person who 
> is configuring the beast and whether they exercise due diligence in their 

That's not true either. You can be the most diligent person on the planet,
and if you install SessionSecure PRO on your network right now
(hypothetical IDS), you are vulnerable. The vendors are the responsible
parties here, not the installers. Let's keep this in perspective. 

-----------------------------------------------------------------------------
Thomas H. Ptacek                                        Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf                           "mmm... sacrilicious"