Re: Changes in IDS Companies?

[Aaron Turner <aturner () pobox com>]

On Wed, Oct 23, 2002 at 01:45:57PM -0400, Rob Shein wrote:
> (All snips are the quotes by Martin Roesch.)
>
> Aaron Turner wrote:
>
> <snip>

<snip my earlier comment>

> Ok, here's problem #1.  It sounds like you're saying, "IDS technology
> works well enough, and is part of this/DoS isn't that much of an issue."

I'm not actually sure what you're saying there.  I hope you don't think
I'm saying that DoS attacks aren't an issue for NIPS (or any network
device for that matter).

> The two don't work together.  Everyone on this list knows (I hope) how
> much easier it is to DoS an IDS than it is to do the same to a firewall.
> Furthermore, this totally fails to address Marty's excellent point of
> "what if" with regards to such a scenario.  

We can say "what if" about everything and anything.  Pointing out that IDS
technology has these same problems doesn't help anyone.  I fully expect
someone evaluating any IDS based technology to be asking the vendor questions
about how they deal with various kinds of attacks and their limits.

The one thing I am certain of is that as time goes on, they'll get better, 
just like every other network security device has.
 
> <snip>

<snip my comments about Hogwash>

> It would fail to find an attack that Snort fails to find. 

If by "It" you mean Hogwash, then why?  If not, then what are you talking
about, and why?

> And there
> always will be such attacks, furthermore.  Conversely, HIDS has a much
> easier time seeing a sudden change to a file that is not supposed to
> change, and thus the argument for layers.

Oh, don't get me wrong... I'm all for defense in depth.  And while I agree
that HIDS has some technological advantages over network based IDS, it also
has serious management and cost disadvantages over them as well.  I also 
think that network based IDS will close the securtiy gap a lot faster 
than HIDS will the management gap.  Cost will probably stay about the same.

Basically, organizations will run network based IDS everywhere and HIDS only
on a few critical systems.  And I think most IDS companies realize this, 
which is why everyone hypes their NIDS/NIPS and seems to be putting in a lot
of $$$ into that technology and less so their HIDS.  (I could be wrong about
this one, it's just a gut feeling, I haven't done any studies or anything
like that.)

<snip comments about HA NIPS>
  
> Uh, if one firewall is unstable because its technology is immature, how
> is adding the complexity of clustering going to improve the situation?

That's why companies built hardware load balancers.  Dedicated devices
which are now extreemely well tested and remove most of the complexity
from the device actually being load balanced.  And I don't think anyone
will disagree that the technology overall will stabilize and improve.

> I don't remember people doing such things back when firewalls "weren't
> there" yet...I remember them either implementing less effective ones in
> the name of uptime, or passing on them altogether.

I guess that depends on who you talked to and what their security requirements
were.  My experiance was that effective firewalls were considered a requirement
for doing business and while downtime caused by them was highly frowned on, 
it was better then the alternative (being broken into).

> <snip>
>
> > I think this political battle is going away.  Companies are 
> > realizing that 
> > a firewall isn't enough.  NIDS are great, but they don't 
> > solve the basic problem of, "Now that I've been rooted now 
> > I've got to pull people from 
> > their current projects to rebuild the servers."  Since NIPS takes a 
> > pro-active rather than reactive methodology, it solves for 
> > this problem like no other (at least current) solution can.
>
> No, NIPS _could_ solve this problem like no current solution can.  It's
> not there yet.  And still...what about the attack it doesn't know how to
> see yet?

Again, that "what if" argument.  No vendor (that i know of) is claiming 
100% detection or security.  So why are you worrying about things they
don't promise?

Secondly, we all know that the *majority* of attacks aren't some new,
super-elite, secret expliot, but rather attacks that have been well known
for some time.  If it takes care of the majority of attacks, and lets
the security group handle the few esoteric ones that get by then it's 
probably money well spent.
 
> > HIDS/HIPS is a *lot* more work to maintain then AV.  Nobody 
> > tunes their AV solution, but people spend a lot of time 
> > tuning their *IDS solution, and frankly, most of the 
> > management tools so far suck.  Compare Checkpoint's 3 tier 
> > management solution to the IDS solutions out there and you'll 
> > understand what I mean.
> >
> > And again, put a few load balancers around it (even use your existing 
> > firewall L/B's) or install something like StoneBeat and 
> > failure issue becomes moot.
>
> Again, HA is not something you can just slap on to an immature and
> unstable technology to make it better.  And once upon a time, AV used to
> be a total nightmare in the enterprise.  It matured, just as HIDS has
> been doing.

I'm sure it is maturing, but honestly I just see it getting more and more
complex rather than easier to use.  Organizations can afford to deploy a
network IDS/IDP sensor (or HA cluster) for a whole network, even if
it's difficult to manage because there are relatively few devices.  You
can't say the same for HIDS.  Hopefully it will get a lot better so people
will seriously consider using them- I just don't see it happening soon 
(next 12-18 months).

<snip my comments on dropping traffic/accuracy>
 
> The problem is not with accuracy, but with ambiguity.  Normal traffic is
> not the white-picket-fence model of conformity it needs to be to be able
> to draw black and white distinctions between "good" and "bad" traffic in
> a totally reliable way.  
>
> Furthermore, "bad" traffic can differ only
> slightly from "good" traffic, the only difference being a distinction
> that is not visible on the wire, and the attack can only be detected
> after is passes.  A SYN flood looks a hell of a lot like a packet
> capture of www.cnn.com every time a major news event breaks.  You have
> to wait until you get/don't get SYN/ACKs back to know for sure (unless
> you've managed to install one of your sensors on the attacking network).
> Increased usage of IPSEC encryption will mean increased fragmentation as
> packets are decrypted.  And there are many other situations, some of
> which have probably not even been thought of yet.  This is just being
> addressed now, in the IDS space...do you really want to let it control
> the nature of traffic on your network so soon?
 
There are different kinds of "abmiguious traffic".  Your example of a Syn
is one, but reality that's pretty easy to fix- just about every firewall
nowadays prevents Syn floods, these same methods can be used in an NIPS.
Heck, NIPS doesn't even need it if your firewall does it already.

The harder things are like IP fragmentation with overlapping fragments.
Different OS's will defrag them differently, which may or may not then have 
an attack (depending on how you do the defrag).  Three key issues with this one:

1) A traditional NIDS can neither find the attack (too computationally 
difficult to do in real time for all the different IP stacks) nor do 
anything about it.  The most it can do is alert that it found some 
overlapping fragments.

2) A HIDS/HIPS can detect the attack in the fragments and prevent it, but
only on the host it's installed on.  Furthermore, it can't protect other
devices (terminal servers, routers, non-supported OS's, etc).

3) A NIPS (which by my definition must be inline) can detect the ambiguity 
and prevent it.  You however are gambling that the overlapping fragments 
are indicative of an attack.  Generally speaking that's a gamble I'm willing
to take.

My personal feeling is that cost/benifit the NIPS wins this one.  YMMV.

Lastly, the way I see the NIPS market going, administrators will be given the
choice to exactly specify when and where to drop packets.  This will help
reduce the risk based upon each organizations needs.

> I have to agree 100% with Marty, and say this:  "Yes, it's promising.
> Yes, it's in demand.  Yes, it's worth pursuing, whether for innate value
> or because the market wants it.  But it's not as good as most IPS
> vendors are claiming yet, period."

Most vendors aren't even doing inline right now (mostly firewall/router
notification) which I'd agree doesn't meet their claims- not by a long
shot.

The few vendors that are doing inline are getting there (I don't see anyone 
their yet), and network based IDS technology seems to be maturing faster 
than firewalls did in general.

-- 
Aaron Turner <aturner at pobox.com|synfin.net>    http://synfin.net/aturner
They that can give up essential liberty to obtain a little temporary safety 
deserve neither liberty nor safety. -- Benjamin Franklin

pub 1024D/F86EDAE6  Sig: 3167 CCD6 6081 0FFC B749  9A8F 8707 9817 F86E DAE6
All emails by me are PGP signed; a lack of a signature indicates a forgery.

Attachment: _bin
Description: