IDS mailing list archives
AW: Changes in IDS Companies?
From: detmar.liesen () lds nrw de
Date: Tue, 12 Nov 2002 08:40:41 +0100
Hi folks, I am watching this thread for quite a while now and I think it's time for me to throw in my 0.02$. First off let me explain my understanding of terminology: -An Inline-IDS or Gateway IDS does not have to be a Network Intrusion Protection System. The difference between a NIDS and a GIDS is just that the latter is placed inline instead of attached to a SPAN port or tap. -A Network Intrusion Protection System blocks or resets "bad" connections and hacking attempts. So a NIPS does not have to be an Inline-device automatically. I guess we all agree so far :) As a rule of thumb I would never use countermeasures by transmitting packets on the wire, which would be the case if I used TCP-reset with NIDS. Remember: Every bit of information you give to a hacker could help him to evade your security-systems. Dropping packets silently by using a GIDS is far better. Now the false-positive issue: I had various discussions about that issue with many people. The main concern was that a NIPS/GIDS often sits in a place where many heterogeneous networks are connected to a single line (e.g. the internet-link) and thus it is very difficult to properly tune those systems. I don't have enough practical experience to tell if the following idea is good, but I suggest using a GIDS as a protecting device with just the most important signatures that are knownt to reliably detect/block those attacks we fear most: -worms -trojans/backdoors -well-known exploits For all the other stuff that is apt to produce false positives i suggest using a passive network ids (NIDS) Additionally, NIPS vendors should always maintain a list of those most common and most dangerous attacks that also gives information about known false-positives for these signatures. Cheers, Detmar -----Ursprüngliche Nachricht----- Von: Andrew Plato [mailto:aplato () anitian com] Gesendet: Samstag, 9. November 2002 04:40 An: focus-ids () securityfocus com Betreff: Re: Changes in IDS Companies? Toby Kohlenberg wrote
Very simply, when you are talking about controlling traffic to the sort of high value, production server that you are likely to want to put these things in front of, you cannot afford for it to ever generate a false positive.
Yes in theory, not so in practice. First off, most IPS, NIPS, GIDS...whatever you want to call them...shouldn't be tuned to the point where they are mass blocking anything that is a "maybe" to the engine. I see a NIPS as essentially a "smarter firewall." It isn't going to filter out every conceivable attack, just the ones that can be identified with a great deal of accuracy. In that sense, the blocking ratio should be reasonably reliable. However, in theory I think you're right. There is a danger with these devices making "bad decisions" about traffic and blocking acceptable stuff.
This means you need a standard IDS sitting behind it/next to it watching the same traffic with a more flexible implementation that may generate false positives from time to time but will also be more likely to catch well-hidden or novel attacks. The beauty of a passive IDS is that it can make mistakes and you don't get punished for it automatically.
This is still true. A conventional NIDS and HIDS always have value because they are "data collectors." A good IDS does more than just shoot off alerts, but can feed you data to start making your own decisions. In the same way that a NIDS can give you the heads up that maybe you need to make a change to a conventional firewall, a NIDS could do the same for a NIPS or HIPS solution.
So, I'd guess the first question I'd ask anyone trying to pitch one of these things to me is, how have you validated that you have a false-positive rate that approaches zero and how would I tune the box to ensure it will never cut off legitimate traffic?
This question really depends on where you put a NIPS. This is why I am still hesitant to suggest people put these in front of an entire network. A segment or single system is one thing. A whole network is a different thing. However, like all systems, properly tuned, they can offer a lot of protection capability. I suspect one of the problems with NIPS is that they will get confused with firewalls. Firewalls are, for most places I visit, set & forget devices. Organizations plug them in, configure them, and then never look at them again. A NIPS is more like an IDS. And you can't leave an IDS alone. It needs love and attention. The same is true of a NIPS. You can't just let it whirr. Somebody has to be paying attention to what it is doing. And when stuff gets blocked that should go through, the system needs to be tuned.
As I think about it, this discussion really has a lot in common with the cross-over rate issue in biometrics (the ratio of false-positives to false-negatives). Any vendors care to provide a meaningful explanation of how they are handling this?
That means no statements like "We use a cutting edge combination of signatures, protocol analysis, heuristics, anomaly detection and our very own Ingredient X!".
Vendors are always hesitant to make these claims, because the instant they make them, somebody comes out with Ingredient X Hacking Tool which, fairly or not, can ruin the entire credibility of the product. Never mind that the Hacking Tool only operates in the 4th dimension running off a antimatter engine, if a link to the source code hits slashdot, the company's reputation tanks. ___________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com _______________________________
Current thread:
- AW: Changes in IDS Companies? detmar . liesen (Nov 12)
- Re: Changes in IDS Companies? Dominique Brezinski (Nov 12)
- <Possible follow-ups>
- AW: Changes in IDS Companies? detmar . liesen (Nov 13)