IDS mailing list archives
RE: IDS is out of context--was-->IDS is dead, etc
From: "Arian J. Evans" <arian.evans () bigfoot com>
Date: Mon, 11 Aug 2003 22:13:10 -0500
Scott and Bennet (et al), First--sorry for bounces; Bigfoot killed my account again for some unknown reason, so if you reply please leave my work address on the cc: line. My $0.01 USD (deprecated to reflect market value): I think we're leaving certain contexts out. As in: # world. The number of systems that are backdoored -- today, and the # number of non-public vulnerabilities and exploits is slightly disturbing. There's a definite value for IDS there at a high level. Though they don't want to be called NIDS, Securify, Lancope, Mazu, Arbor, and probably some others provide definite answers here. Profile and policy your network, monitor for non-compliance (yes, I'm very aware of all the "ifs", "ands", and "buts" in accurately profiling your network, but it is very do-able). If the malicious activity (backdoor, etc) is low and slow, or running through allowed channels (e.g.-covert channel runs across public infrastructure sourced HTTP and all public HTTP is allowed to and from that asset by your defined policy...) then obviously you won't catch it. But there's good odds it's not normal and some deep protocol inspection will catch it. # Perhaps the most disturbing is that the bar is really only raised for # the script kiddies; they never posed a substantial risk anyway. Depends on who you are and with whom you are referring to. Take smaller, less security savvy organizations that do not have sound backup procedures. Script Kiddie + remote root + rm = substantial impact. That sort of stuff happens all the time. In those contexts, the risk is high and so is the impact. We have customers who still need help properly configuring a firewall, and NIDS/HIDS/SEMs are mostly shelfware for. You can find the same conceptual issue in large <=F500 corporations where fw and NIDS are run by different groups, and a third is responsible for patch management/OS, etc. IDS in that context becomes (a) a way of keeping score, and (b) a way of detecting when incidents occur b/c some other group didn't do their job properly. # I really like your description of NIDS as AV scanners for the network. # That's classic. Although, some will argue that the more behavioral # oriented NIDS have moved past that point. That's a common (and apt) comparison. Actually, if you think about the evolution AV went through in the early VX days, and why AV vendors came up with heuristic engines (read up on the Russian VX lists back around '97 or so, regarding techniques they were using to evade virus scanners; dynamic memory offsets and such). The signature + behavior AV approach is exactly (IMO) what is going on w/NIDS. # A good NIDS is an invaluable tool for network managers. Actually, if you want trending and analysis, pretty reports for CYA and budget justification, etc. (which is what I think you meant here) then the myriad of SEMs are probably more useful; they can build a wider picture. (e.g.-netForensics, Arcsight, Guarded.net, eSecurity, NI, etc.etc.) But I see and agree. There's a more systemic issue here, which I'm going to discuss later in a response to Marty's email. # But, a NIDS is not the security "solution" that they are marketed as. Hmmm, I have got to disagree. Back to context. If we were talking about my home network, for instance, I'd have to agree. Every host is hardened (except the bastion ;). I've got Snort piping data into a SQL2k database, and all it's useful for is learning. (anyone know of a good open source tool for sucking snort data out of SQL 2000 and charting it? I'm too lazy to write my own queries and html or excel it....) If I based my thoughts on NIDS off of my home network, or work network, or networks that likely you have built and maintained, that would be a biased sample, b/c we already *get it*. (err, I hope...) There's still plenty of people who don't get it, that need an alarm system to help counter the mistakes they make. They don't realize they left the door unlocked, so they need to know when someone wanders in their back door after midnight...even though it's a well-known attack. (sorry, best I could come up with). Or, again, that situation of distributed responsibility and we all know in certain excessively political and bureaucratic organizations, groups don't always communicate and/or work together effectively. IDS are part audit tool and part genuine incident detector in those environments. I could give you tons of specific examples, but I'm trying to avoid the "email of anecdotal evidence" approach. Thanks for all the stimulating dialogue, Cheers, Arian J. Evans --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
Current thread:
- RE: IDS is out of context--was-->IDS is dead, etc Arian J. Evans (Aug 12)