RE: IDS is dead, etc

[Omar Herrera <oherrera () prodigy net mx>]

Sounds good, but...

It seems more a wish than a prediction. There simply is no technology
that will be able to handle and correlate all the variables needed for
an effective "intrusion prevention" (I personally don't even like the
term "Intrusion prevention systems", it is confusing and ambiguous).

If right now, we are having a hard time configuring a simple nIDS to do
some automatic response (even with the best of our security experts
involved). How is that technology going to do that without causing more
harm (DoS?) than good?

Basically, a nIDS with response capabilities to cut connections has the
same effect as instructing a firewall to block the source of an attack,
identified by a nIDS.

To be able to work effectively, this device would need to:
* Recognize that we have customer/business partner relationships
* Relate Ip addresses, services and network names with corresponding
business relationships and process
* Know what your business is about (at least in terms of what the
network is used for)
* Know how and why business processes change
* Know what is done at which hour, day, month
* correlate all of the above, and much more, and apply filters
accordingly
* And also generate reports the way your boss likes them

Automated systems can be used to do each of these activities
individually (at least those that are simple enough) fairly well, but
when you try to put them together, the automatic part of that system
will cease to exist because you will have someone behind fine tuning the
thing, permanently.

The key is "correlation", and right now I don't se a better security
solution than a well prepared security professional to correlate that.

In my opinion, instead of trying to build something to replace those
experts with technology that right now is unable to do so, we should
focus on making better tools to help them correlate security events.

If I remember correctly, building the perfect intelligent device was an
idea of the early stages of artificial intelligence, and people in that
area recognized decades ago that it is more feasible to create small
systems to deal with relatively simple tasks and a small number of
variables.

Just some thoughts...

Omar Herrera


-----Original Message-----
From: JAVIER OTERO [mailto:jotero () SMARTEKH com] 
Sent: Martes, 12 de Agosto de 2003 09:28 a.m.
To: Jason Haar; focus-ids () securityfocus com
Subject: RE: IDS is dead, etc

In my opinion IDS will dead in actual form, when you are notified about
an atack is better that dont know, but is better stop the attack.
The IDS must evolutionate to firewall technology and viceversa, firewall
must include IDS technolgy, for stop attacks.
One vendor that is doing this is netscreen, they have the IDP (IDS +
prevention)and they are working in add to their FW some IDP features.
This will put in the internet gateway more security, and more tuning,
but still will be required the internal IDP, like antivirus you require
in gateway, mail and PC they can still put an infected diskete.

Ing. Fco. Javier Otero De Alba 




---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------