RE: Automated IDS response

["Crumrine, Gary L" <CrumrineGL () state gov>]

When IDS systems first hit the streets a couple of years ago, I think many
were caught up in all the GA-GA bells and whistles marketing hype that
accompanied their release.  After some time to evaluate the products and
adjust our thought processes on how they are implemented, I think we have
come full circle on their usefulness and I know we are a lot wiser in our
implementation.  

I for one now tend to back off from allowing a product to automatically
modify my configurations in response to something that has the potential to
be malicious.  Sounds a bit like jumping at shadows.  

I lean towards manual corrective measures that are a result of some form of
human thought process and analysis.   Guess I am afraid of AI being
introduced at this level.  In theory, it sounds like a great idea, but it
rarely works out in real life.  At least to the degree that would make me
comfortable with it.  Maybe someday...  

Too often we look at results, without analyzing the effect that it may have
on our ability to operate.  Whether your automated IDS response is the
result of doing the right thing for the wrong reason, or doing the wrong
thing for the right reason really doesn't matter... it is still a mistake
that could prove costly in the long run.  

Right now, I trust a human more than a brick.

> -----Original Message-----
> From: Robert Graham [SMTP:robert_david_graham () yahoo com]
> Sent: Saturday, February 12, 2000 12:04 PM
> To:   Kopf , Patrick E.; 'Michael B. Rash'; firewall-wizards () nfr net
> Subject:      RE: Automated IDS response
>
> For example, if you see somebody pinging your machine looking for
> BackOrifice,
> nothing happens. Not only can such things be spoofed, but you see a lot of
> them
> from many hackers. What the hacker is really doing is scanning millions of
> machines for BackOrifice. That is likely the only packet you'll ever see
> from
> the hacker, so it isn't worthwhile destabilizing your firewall blocking
> the
> person. The average cable-modem user gets 20 non-spoofed scans per day --
> it
> really isn't worthwhile reconfiguring the firewall for each one.
>
> On the other hand, if you machine sees your machine respond to a
> BackOrifice
> request, then it goes into a tizzy and starts blocking things and giving
> higher
> priority alerts.
>
> Robert Graham
> CTO/Network ICE
>
> --- "Kopf , Patrick E." <PEKopf () missi ncsc mil> wrote:
> > Network Ice's BlackIce Defender IDS does this type of traffic blocking
> > (based on type of attack).  Defender only blocks traffic for attacks
> that
> > are 'non-spoofable'.  I don't know if they're the only IDS that does
> this or
> > not.
> >
> > Pat Kopf
> >
> > -----Original Message-----
> > From: Michael B. Rash [mailto:mbr () math umd edu]
> > Sent: Thursday, February 10, 2000 6:09 PM
> > To: firewall-wizards () nfr net
> > Subject: Automated IDS response
> >
> >
> >
> > Having your IDS respond automatically to an IP that is generating
> > questionable traffic by dynamically managing your router ACLs (or other
> > similar action; tcpwrappers, ipchains, etc...) to deny all traffic from
> > the IP can be a risky thing to do from a DoS perspective; nmap's decoy
> > option comes to mind.
> >
> > It would seem that any IDS should only block traffic from an IP
> > based on an attack signature that requires bi-directional communication,
> > like a CGI exploit over http/80 or something.  Are there guidelines for
> > deploying IDS response that discusses methods for minimizing false
> > positives?  Are there any *good* ways of doing this?
> >
> > --Mike
> > http://www.math.umd.edu/~mbr
>
> =====
> Robert Graham  http://www.robertgraham.com/pubs
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com