Re: IDS is dead, etc

[Sebastian Schneider <ses () straightliners de>]

Regarding the philosophical issue brought up by Paul Schmehl I guess
for sure NIDS sensors might be quite useful if located at strategical points
as Thomas Arsenault points out.

However, properly planned and implemented NIDS sensors are not just helpful
for analyzing inbound traffic, they can also be a good indicator for checking
security policies and violations of these.

So the issue actually is, which NIDS sensor placed where should scan for what.
I mean, NIDS's within the internal network should be adopted to the 
environmental needs to minimize false positives/negatives.

Still sensors places at strategical points might be helpful for analyzing 
still unknown threats. A properly installed intrusion detection system is 
able to log threats though there not public yet by examining the traffic.

If you're being attacked which means help you even realizing that you've
been attacked. Usually firewall logs as is won't help you that much. Usually
you just don't know, if there has someone trying to use an vulnerability 
against your server software to gain unprivileged access.

Another point is, that programs like DeepSight do data mining and evaluation 
to keep track on whats happening world-wide regarding security issues.
This is really helpful for security engineers/vendors to develop signatures 
and counter measures to stop new threats.

An NIDS placed in front of a firewall could be quite useful not just to 
identify and track attacks. Taking counter-measures proactively (like 
blocking) is a big deal. So why should attacks for known vulnerabilities
enter your "secured" network? And which security engineers is going like
"hey, when there is a vulnerability i will know since servers will break down
or whatever".

-----------------------------
Sebastian Schneider
straightLiners IT Consulting & Services
ses () straighliners de

On Thursday 07 August 2003 21:00, Tom Arseneault wrote:
> My point was "In a perfect world with unlimited resources" monitoring for
> all types of attacks, whether or not your vulnerable, gives you a good
> indicator of who your enemies are and what they are doing. And I agree that
> in most cases this is not pratical, not enough people, money, or compute
> resource, but that does not mean it's a bad idea.
>
> Also signatures are not perfect, there might be two closely releated
> vulnerabilities one being patch the other not which could match the same
> signature and if you ignor the signature because you think your patched you
> could be wrong. No, I can't think of any examples but since his was a
> "philosophical question" and not a specific point I felt it was valid to
> stretch the bounds of probability a bit.
>
> Here is my overall IDS opinion (mentioned just so I can get feed back as to
> how close/far from the mark I am) an external (outside the firewall) NIDS
> system that just logs, only used to give general attack trends but does not
> give alerts, and internal NIDS systems at strategic locations to closely
> monitor the important systems which do give alerts. Of course generous
> amounts of HIDS and other technology sprinkled along the way to round out
> the package.
>
> Sorry about leaving out the "In a perfect world with unlimited resources"
> part, it may have made my original post more in line with others thinking.
>
> Thomas J. Arseneault
> Security Engineer
> Counterpane Internet Security
> tarseneault () counterpane com
>
> -----Original Message-----
> From: Mark Tinberg [mailto:mtinberg () securepipe com]
> Sent: Wednesday, August 06, 2003 4:38 PM
> To: Tom Arseneault
> Cc: 'Paul Schmehl'; focus-ids () securityfocus com
> Subject: RE: IDS is dead, etc
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, 6 Aug 2003, Tom Arseneault wrote:
> > My $.02 worth...
>
> I don't think inflation has driven up the price of my opinions so far yet
> 8^)
>
> > Any particular Nimda attack if your patched does'nt mean anything,
> > however if the volumn of attacks rise sharply in a short time period it's
> > time to research as to why is going up: are you the only one seeing it?
> > Is it a general rise in volumn for the Internet as a whole? Is part of a
> > signature of some new vulnerability? That is why you care even if your
> > patched.
>
> I'm not sure how relevant this really is.  If you are patched against the
> vulnerability then you are patched, it doesn't matter if a new variant
> is released that exploits the same vulnerability.  A new worm exploiting a
> new vulnerability is a different story but hopefully you'd have a seperate
> or a more generic sig to detect this.  I don't know how often it would be
> that a new worm exploiting a new vulnerability would match the signature
> in your IDS sensor for an old vuln such as is exploited by CR/Nimda.
>
> In fact, just limiting ourselves to CR/Nimda, it shouldn't be too
> difficult to limit the match to just internal->internal traffic which is
> the most effective way to detect an old, unpatched and infected host on
> your network.  The attack vector and propegation methods of CR/Nimda are
> widly known, and completely uninteresting if you are not vulnerable.
>
> I think what we have here though are different perspectives borne of
> different needs and different sensor layouts.  I would imagine that even
> if there were sensors on every subnet of UT Dallas that wouldn't be enough
> coverage to really determine the attack trends for the Internet at large.
> That's probably different from your setup, as an MSSP you have access to
> sensors all over the place, so would have more data to go on when
> determining wider trends.
>
> > -----Original Message-----
> > From: Paul Schmehl [mailto:pauls () utdallas edu]
> >
> > --On Tuesday, August 05, 2003 13:11:37 -0400 "David W. Goodrum"
> >
> > <dgoodrum () nfr com> wrote:
> > >   One, provide the customer with more information (i.e. I see nimda
> > > alerts, but it also says that the dest OS is RedHat, therefore the end
> > > user can ignore it).
> >
> > This brings up what I guess is a philosophical question.  Why would you
> > want to know about Nimda attacks against your servers?  If you're
> > properly secured, they won't have any effect.  And if you're not, you'll
> > know about them soon enough.
> >
> > I've altered all these types of rules to alert me when a host *inside*
> > our network is infected.  Now *that* I want to know about.  To me,
> > Nimda/Code Red/Slammer attacks from the outside are just part of the
> > background noise of the Internet.
>
> - --
> Mark Tinberg <MTinberg () securepipe com>
> Network Security Engineer, SecurePipe Inc.
> New Key fingerprint = FAEF 15E4 FEB3 08E8 66D5  A1A1 16EE C5E4 E523 6C67
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> Comment: For info see http://quantumlab.net/pine_privacy_guard/
>
> iD8DBQE/MZ9+Fu7F5OUjbGcRAqbOAKCiDhAnpW1Xmg3IP5+jUViTxYgwjgCcCbNk
> MNCc2TYWxNOGmCnCzKXzoaw=
> =bz2B
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------------
> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Automatically Control P2P, IM and Spam Traffic
>  - Ensure Reliable Performance of Mission Critical Applications
> Precisely Define and Implement Network Security and Performance Policies
> **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> Visit us at: http://www.captusnetworks.com/ads/31.htm
> ---------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
> Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Automatically Control P2P, IM and Spam Traffic
>  - Ensure Reliable Performance of Mission Critical Applications
> Precisely Define and Implement Network Security and Performance Policies
> **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> Visit us at: http://www.captusnetworks.com/ads/31.htm
> ---------------------------------------------------------------------------



---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------