The value of detecting neutralized threats. (was RE: IDS blah blah)

["John Kozubik" <john_kozubik_dc () hotmail com>]

There are two reasons for trying to detect traffic and breaches with IDS 
that you have previously taken steps to prevent.

(in answer to he question "why should we watch for netbios traffic if we 
have already firewalled those ports?")

1. The existence of network scans, petty DoS attempts, and lame netbios 
attacks can be one of two things - some teenager getting their kicks, 
or, a sophisticated attacker using these probes as a precursor to a more 
sophisticated (and successful, perhaps) attack.  Do not kid yourselves 
and think that well funded attackers do not at least try the front door 
once or twice before bringing out the big guns.  If you have sensitive 
and valuable data to protect, you are doing yourself a disservice by not 
making an effort to look for traffic that should theoretically not exist 
on the network.

By discovering these precursors to what might be a more sophisticated 
attack, action can be taken to prevent its escalation.

2. Let's say you do block all traffic to and from a service.  At this 
point, some members of the list seem to be content with sitting back and 
basking in the knowledge that "it can't be in our network, by god we 
firewalled it".  Don't you think the most important time to know if 
there are strange packets floating around is _after_ you made an attempt 
to prevent their existence???  I mean, before you firewall, there is an 
excuse for weird packets and requests to be bouncing around - it seems 
to me that that would be the time to not be concerned.

The time to be concerned about, for instance, netbios traffic, would be 
after you had taken steps to prevent netbios traffic on the network.  
Wouldn't you be a bit concerned that this traffic exists, even though 
you supposedly blocked it?  Wouldn't you like to know right away if 
these packets and requests suddenly existed on your network?

Or are you so confident in your ability to work firewalls that you 
cannot conceive of an instance in which traffic and requests that you 
attempted to block might end up on the network at a later date?

THESE are the reasons you add an Intrusion Detection System that not 
only looks for threats that cannot be effectively neutralized, but also 
looks for threats that have already been neutralized.


I should point out, in response to certain critics, that you probably do 
not need to employ mechanisms such as this if you do not have 
information and services to protect that outweight the costs of 
implementing and supporting these systems.  I, for instance, do, and I 
will note that I am not part of the military-industrial-government 
complex.  I imagine there are many others on the list that may not be in 
the military or part of the government, but have services and 
information of such value that these measures would be cost-effective.

You will note that a system that can do what is described above can be 
built for less than $10,000.

If you do not have the necessity or the means to implement these 
procedures, and do not find them relevant for the small networks you 
run, well, at least you are gaining experience and knowledge for a 
future date when you do.  That is, after all, why we participate on 
lists such as this.



kozubik - John Kozubik - john_kozubik () hotmail com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com