Re: Important Comments re: INtrusion Detection

[tqbf () secnet com]

> forgive me if I've read this wrong - but this sounds like a app proxy
> firewall does it not?

Yeah, I realize that it does.

> OK its a firewall with much better alarming and logging. But in normal
> security (I mean physical) an IDS is a detection system - it does not
> provide a major response, though it may assist in the apprehension phase.

This is where I (and I suspect most IDS researchers) will disagree with
you. An IDS is simply a system that attempts to detect misuse of computer
resources. There's no rule that says the system needs to be unobtrusive.
Note that when I discuss whether or not an IDS allows packets to pass, I
do so with the vision that an IDS is only going to block traffic it can't
understand; it's not a general access control device, and the traffic
allowed through by an IDS can be extremely (and obviously) dangerous. 

The only requirement is that traffic only makes it through when its
meaning is unambiguous.

> What I can see here is a transparent proxy IDS sitting on the wire proxying
> all the packets, but not attempting to fit them against rules, just passing
> them through the proxy layers Think of a App Proxy firewall with ANY to ANY
> rule set to allow.

Yep. This is PRECISELY what I am envisioning. Someone else's term for this
was (excuse me) a "normalizing gateway".

> packets or cronicly overlapped packets). BUT it would not try and fix the
> packets - if anything this is the firewall's job, otherwise it would be

Sure. The proxy IDS can always just drop anything it doesn't understand.

> This will cut down the attacks via TCP stacks, but still not handle the
> problem of 'conventional' attacks - via buffer overflow etc. It seems we

This addresses a higher level problem with intrusion detection. The
current commercial systems we have all tend to follow the "misuse
detection" model of IDS, where the IDS looks for specific, previously
known patterns of abuse. This has two limitations: first, it only detects
attacks known by the IDS (this is not a limitation of many other
systems!), and second, that the manner in which the IDS detects a known
attack must address all possible variations of the attack for it to be
effective.

You could write a book about all the problems with designing intrusion
detection systems. We don't purport to have all the answers, or even to
catalog all the problems. 

-----------------------------------------------------------------------------
Thomas H. Ptacek                                        Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf                           "mmm... sacrilicious"