AW: Changes in IDS Companies?

[detmar.liesen () lds nrw de]

Hi folks, 
I am watching this thread for quite a while now and I think it's time for
me to throw in my 0.02$.

First off let me explain my understanding of terminology:
-An Inline-IDS or Gateway IDS does not have to be a Network Intrusion Protection
System.
The difference between a NIDS and a GIDS is just that the latter is placed
inline instead of attached
to a SPAN port or tap.
-A Network Intrusion Protection System blocks or resets "bad" connections and
hacking attempts.
So a NIPS does not have to be an Inline-device automatically.

I guess we all agree so far :)

As a rule of thumb I would never use countermeasures by transmitting packets on
the wire, which would be the case if I used TCP-reset with NIDS. 
Remember: Every bit of information you give to a hacker could help him to evade
your security-systems.
Dropping packets silently by using a GIDS is far better.

Now the false-positive issue:
I had various discussions about that issue with many people. The main concern
was that a NIPS/GIDS often sits in a place where many heterogeneous networks are
connected to a single line (e.g. the internet-link) and thus it is very
difficult to properly tune those systems.

I don't have enough practical experience to tell if the following idea is good,
but I suggest using a GIDS as a protecting device with just the most important
signatures that are knownt to reliably detect/block those attacks we fear most:
-worms
-trojans/backdoors
-well-known exploits
For all the other stuff that is apt to produce false positives i suggest using a
passive network ids (NIDS)

Additionally, NIPS vendors should always maintain a list of those most common
and most dangerous attacks that also gives information about known
false-positives for these signatures.

Cheers,
Detmar


-----Ursprüngliche Nachricht-----
Von: Andrew Plato [mailto:aplato () anitian com]
Gesendet: Samstag, 9. November 2002 04:40
An: focus-ids () securityfocus com
Betreff: Re: Changes in IDS Companies?


Toby Kohlenberg wrote 

> Very simply, when you are talking about controlling 
> traffic to the sort of high value, production server
>  that you are likely to want to put these
> things in front of, you cannot afford for it to 
> ever generate a false positive.

Yes in theory, not so in practice. First off, most IPS, NIPS,
GIDS...whatever you want to call them...shouldn't be tuned to the point
where they are mass blocking anything that is a "maybe" to the engine. I
see a NIPS as essentially a "smarter firewall." It isn't going to filter
out every conceivable attack, just the ones that can be identified with
a great deal of accuracy. 

In that sense, the blocking ratio should be reasonably reliable.
However, in theory I think you're right. There is a danger with these
devices making "bad decisions" about traffic and blocking acceptable
stuff. 

> This means you need a standard IDS sitting behind it/next
> to it watching the same traffic with a more flexible 
> implementation that may generate false positives from 
> time to time but will also be more likely to catch
> well-hidden or novel attacks. The beauty of a passive 
> IDS is that it can make mistakes and you don't get 
> punished for it automatically.

This is still true. A conventional NIDS and HIDS always have value
because they are "data collectors." A good IDS does more than just shoot
off alerts, but can feed you data to start making your own decisions. In
the same way that a NIDS can give you the heads up that maybe you need
to make a change to a conventional firewall, a NIDS could do the same
for a NIPS or HIPS solution. 


> So, I'd guess the first question I'd ask anyone 
> trying to pitch one of these things to me is, how 
> have you validated that you have a false-positive
> rate that approaches zero and how would I tune the 
> box to ensure it will never cut off legitimate traffic?

This question really depends on where you put a NIPS. This is why I am
still hesitant to suggest people put these in front of an entire
network. A segment or single system is one thing. A whole network is a
different thing. 

However, like all systems, properly tuned, they can offer a lot of
protection capability. 

I suspect one of the problems with NIPS is that they will get confused
with firewalls. Firewalls are, for most places I visit, set & forget
devices. Organizations plug them in, configure them, and then never look
at them again. A NIPS is more like an IDS. And you can't leave an IDS
alone. It needs love and attention. The same is true of a NIPS. You
can't just let it whirr. Somebody has to be paying attention to what it
is doing. And when stuff gets blocked that should go through, the system
needs to be tuned. 

> As I think about it, this discussion really has a 
> lot in common with the cross-over rate issue in
> biometrics (the ratio of false-positives to
> false-negatives). Any vendors care to provide a 
> meaningful explanation of how they are handling this?

> That means no statements like "We use a cutting edge 
> combination of signatures, protocol analysis, heuristics,
>  anomaly detection and our very own Ingredient X!".

Vendors are always hesitant to make these claims, because the instant
they make them, somebody comes out with Ingredient X Hacking Tool which,
fairly or not, can ruin the entire credibility of the product. Never
mind that the Hacking Tool only operates in the 4th dimension running
off a antimatter engine, if a link to the source code hits slashdot, the
company's reputation tanks. 

___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation

503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com 
_______________________________