Firewall Wizards mailing list archives
Re: INtrusion Detection
From: tqbf () secnet com
Date: Thu, 19 Feb 1998 13:56:26 -0600 (CST)
OK Tom, you have managed to poke holes in every product on the market...now
[ ... ]
we go without anything? That even in the limited functionality presented by these products, that they should not be used at all? I disagree.
I am not saying ID systems should not be used at all. In fact, I haven't even said "don't use these broken systems", broken as they are. My point is simple: Nothing is 100% secure. Everything has vulnerabilities. It is critical that people deploying security technology know exactly what those vulnerabilities are. I am also, in a side discussion here, talking about the benefits I see in ID systems built around proxies, rather than passive monitors. This is a possible solution to the problem, and it's the only one I'm actually proposing. Given the choice between a passive and active ID system, I will always tell you "go with the proxy", because I don't think the reliability of passive systems is competitive with that of active systems. That's about as far as my opinion on this matter goes. I am not an IDS vendors, and thus don't see a real responsibility on my part to "fix all the problems" in passive "network grep" products. Any contributions I make to this thread are due to an interest in the technology, and nothing more.
anything. I would think that any tool that does provide increased security is viable. Do they work in all cases? Nope Do they offer false
This isn't true. Slopping on more and more security software is not always harmless. For example, look at the "tripwire-port" TCP portscanners that people are writing (they catch port scans by emitting an alarm when someone tries to connect to their port). These systems are not only trivially avoidable, but they can also be easily leveraged to deny service to the system. The same thing is true of "reactive firewall" ID systems.
security? Only to the unknowing. I think the IDS products we see on the market today represent where the Firewall industry was a few years ago.
As an aside: I don't recall a time where the firewall industry was ever in a situation where ever product on the market contained serious security problems, some of which did not appear to be fixeable.
You are right in that some IDS advertisements do stretch the limit a bit, but no more than the claims by the firewall vendors. Pricing seems to
This is something I completely disagree with. Vendors of proxy firewalls have a fairly decent basis in fact when they make claims about the protection their firewalls offer. Nobody has come forth and publically explained flaws in the technology (other than the obvious stuff, like the incoming traffic problem). The technology is, to some degree, proven, and the design is very solid. There is really not that much of a reason to believe that a firewall system, which is the only ingress point into a network, cannot perform access control. On the other hand, there are many reasons to believe that passive ID systems cannot do what they are advertised to be able to do. The product has much more of a potential for serious problems, because the problem of reconstructing traffic identically to an arbitrary endpoint in parallel, real time, is more difficult than the problem of providing proxies only for valid traffic. Morever, all the systems are currently broken! Not a single vendor has chimed in publically on their website and said "Customer Warning! Our product is currently vulnerable to a series of problems identified in...". The current advertising claim that these systems work AT ALL is false (in my absolutist perspective), and remains so until the trivial problems are fixed. I view a difference in marketing claims that reduces the effective signature count of an IDS by an order of magnitude (and where all the new signatures basically represent the same type of attack) as significant. I'm surprised that you see this as a "minor marketing stretch".
The bottom line is that what ever you are talking about, be it firewall technology, or IDS systems, OS's whatever, it comes down to the person who is configuring the beast and whether they exercise due diligence in their
That's not true either. You can be the most diligent person on the planet, and if you install SessionSecure PRO on your network right now (hypothetical IDS), you are vulnerable. The vendors are the responsible parties here, not the installers. Let's keep this in perspective. ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"
Current thread:
- Re: Practical Firewall Metrics, (continued)
- Re: Practical Firewall Metrics Bennett Todd (Feb 20)
- Re: Practical Firewall Metrics Leonard Miyata (Feb 20)
- Re: Practical Firewall Metrics...Was: INtrusion Detection Bennett Todd (Feb 20)
- Re: INtrusion Detection tqbf (Feb 18)
- Re: INtrusion Detection Adam Shostack (Feb 18)
- Re: INtrusion Detection Vern Paxson (Feb 18)
- Re: INtrusion Detection Marcus J. Ranum (Feb 18)
- Re: INtrusion Detection tqbf (Feb 18)
- RE: INtrusion Detection Gary Crumrine (Feb 19)
- RE: INtrusion Detection Alfred Huger (Feb 19)
- Re: INtrusion Detection tqbf (Feb 19)
- Re: INtrusion Detection George M. Jones (Feb 20)
- Re: INtrusion Detection Alfred Huger (Feb 20)