thoughts on recent IDS discussions

[firewall-witch () bigfoot com]

Hi,

Like Rick Morrow I'm another lurker who wants to make a few comments.  Please excuse any naivety.

*** As said before, congratulations to all on the quality of discussion on this list.  Its been very interesting and 
informative reading.

*** I agree that "peer review" is the only way to go with security products.  You can't wait for them to be broken into 
in a live scenario.  Who would you rather exposed the vulnerabilities first - the white-hats or the black-hats?  
Unfortunately "security through obscurity" is not a reliable basis for a security policy, as I keep trying to convince 
my managers.

Also being seen to understand and react to new security issues is a definite plus for any company, as shown by Cisco's 
relatively recent actions.  Of course this looks good to the Internet "Security Community" rather than the average 
customer, but I'm presuming sufficient information trickles down.

*** I won't go into specific software but Marcus's comments on logging
unsuccessful attacks hinted at, what seems to me, an often ignored aspect of security :- DoS attacks on humans.  
Sysadmins tend to be over-worked by default, and unfortunately network security tends to be "something else" sysadmins 
do rather than being a specific job title.  Therefore a massive amount of alarms can swamp a Sysadmin to the point 
where she will ignore future warnings.  So something else to consider with IDS's, and firewalls for that matter, is the 
way that issues are reported.  Unfortunately I haven't had time to do more than scan the CIDF spec but humans are 
listed amongst the A-boxes. The weaknesses explored in the SNI paper show that completely fake attacks could be 
presented to an IDS, so the Sysadmin will spend time examining vunerabilities to, and protecting against, non-existant 
attacks.

*** Having said that, the place of IDS's is very important.  I think the problem is, as Ptacek has stated, marketing 
departments are being over-zealous.

Kurt Ziegler's signature states:-

+++++++++++
AbirNet returns network control back to your company. SessionWall-3 
provides you all the capabilities you need to fearlessly connect your 
business to the Internet and effectively manage your Intranet usage in a 
single easy to use affordable software product .  See us at www.AbirNet.com 
+++++++++++

"fearlessly?"

I like SessionWall-3, a lot, but I wouldn't protect the perimeter with it.  IDS's are very useful for the "forensic and 
ballistic" part of network security, both during and after attempts.  If identical attacks are being run against your 
network from multiple addresses, either the news is out about a particular weakness, or the latest hack has made its 
way around the #hack fraternity and its just your turn.  For example in our case we do get some ( insert OS here ) 
related attacks but word has yet to get around that we're an ( insert OS vendor here ) site.  However, while a firewall 
would (possibly) just block the attempts an IDS logging attacks would alert us to the fact that the standard ( insert 
OS here ) exploits, *and those exploits only*, are being used.  Know your enemy - and know what they know of you.

( Having looked through my saved emails I see I'm basically seconding Panayiotes Psihoyios's comments above).

Also the current IDS's have a place to prevent and detect the use of standard attacks by script kiddies and saboteurs 
on your internal networks.  Unless you've got a rogue high-up in IT any potential internal hacker will be using known 
attacks, they therefore can be stopped, and logs used to effect immediate dismissal.  This prevents having the "crunchy 
on the outside, soft on the inside" security policy, as stated by Paul Cardon.

And with the added functionality of SessionWall-3 ( only product I can speak of ), if IDS's are sniffing anyway they 
can log network and internet use of employees.  So if your machines start BSODing search through the logs for "winnuke".

One final point - this message has been posted anonymously for various reasons.  You're all presumably pretty dedicated 
to the security side of the industry and have decent budgets, and some of you are CEO's or equivalent.  Unfortunately I 
do not have the budget or authority, and to speak honestly I need to disclose that there are weaknesses, even if I dare 
not be specific.  My apologies.