IDS mailing list archives
RE: True definition of Intrusion
From: "Craig H. Rowland" <crowland () cisco com>
Date: Tue, 30 Dec 2003 16:08:27 -0600
Hi Gary,
Hi Craig (and list)... It's been a while... :)Here is the some of the attack patterns type signatures being classified by many vendors who are no pushin Intrusion Prevention attack detection FIN without ACK Attack FTP Buffer Overflow attack ICMP Flood Attack ICMP Fragment Attack ICMP Source Session Limit ICMP Sweep Attack Invalid URL Attack IP Fragment IP Land Attack IP Loose Source Record Routing IP Record routing IP Security Option IP Strict Source Record Routing IP Timestamp Option Large ICMP Packet Attack Ping of Death Attack POP2 Buffer Overflow Attack POP3 Buffer Overflow Attack Port Scan Attack SYN Flood Attack SYN Fragment Attack TCP with No Flag Attack UDP Flood Attack UDP Land Attack UDP Source Session Limit Unknown IP protocol None of the listed above, should be classified as Intrusion Prevention, since they are really in essence "glorified"IntrusionDetection class patterns. Most of the listed aboveWhy not? If it is a mechanism of intrusion, and can bestopped beforesuccessful execution, then it has been prevented.Out of context, no one would disagree. How could anyone argue that stopping activity well before it becomes an "intrusion" is not intrusion prevention?! However, in context ("context" being the above list of "intrusions" [biting cheek, really hard]), is a different story. Paraphrasing what Mark said - most all of those "attacks" (using that term as loosely as possible) can be trivially mitigated in most routers and switches, including an $80 D-Link.
I think we're reading too much into the word intrusion here. From my perspective any malicious activity, including those that lead up to the attack, are part of the intrusion attempt. If that means I stop a recon probe from blossoming into a full-blown assault then the intrusion prevention worked. If that means I missed everything up until the very last moment when the stack is being corrupted and code is beginning to run before it is stopped the intrusion prevention worked. The attacker doesn't know the difference either. They just see the attack fail and don't know why it failed. Also, FWIW, don't think that blocking all of those attacks can be done with simple filters on a router. Some of those rules fall into the role of TCP/IP normalization which requires quite a bit of logic and falls outside of the scope of most network hardware. Other sigs in that very brief list are obviously outside of the scope of most filters (buffer overflow detection, URL parsing, etc.)
This kind of brings us to the big joke of network IPS as it stands today ("IPS" being network-based enterprise class perimeter-focused solutions that are typically discussed). Most people *assume* that since an IDS can audit 1000's of different types of potential attacks, it would follow that an IPS can stop the same number. IPS vendors routinely capitalize on naive assumptions along these lines, and before you know it, you have organizations like Gartner echoing vendor marketing jingles without actually performing some sort of validation testing themselves.
I can't defend the network IPS vendors on their claims, I can only look at what is *likely* based on my experience in the security industry for a number of years. I think it's premature to judge what vendors can and cannot do with respect to signatures and blocking. I happen to think that traditional IDS is still a very useful tool, but I hate making technology predictions against companies because they always blow up in your face. Most of the world's problems have been solved by people and companies that were initially told that "It can't be done!" So whether the claims are fact or fiction isn't the main dispute in my mind as both technologies are useful. For me it's a question about appropriate application for the customer. As it stands now both IDS and IPS have their place.
I *LOVE* how every term in the vendor-supplied list at the start of this email ends with the word "attack"!!! Really think about that one for a minute... Have you ever pulled back the hood of an IPS to see what RELEVANT activity it *really* will and will not stop? Many of these [network] devices are great at stopping "recon" and other "early" activity. However, they also are making the assumption that hackers follow the methodologies described in Hacking Exposed and related introductory security texts. The only people I routinely see employing such a structured approach to hacking are security people - not hackers. And yes, before any IPS zealots jump down my throat, there are other types of activities that can be stopped (besides recon), but on *no* scale *anywhere* near the number of activities that can be audited with an IDS - good, bad, or indifferent.
Again I'm not able to defend the IPS vendors, but I think your taking a statement of conjecture and turning it into an undisputed fact. I've not used the products closely enough to say what can and can't be done, but I do know that most of the time marketing forces dictate that a vendor can only get away with bold statements long enough before they're either: A) Rejected by the market for being liars -or- B) Accepted by the market for telling the truth We'll just have to wait and see what happens in 2004. As far as the other part is concerned (attack methods) it may be true that hackers follow certain methodologies that are perhaps different from those of, say, security auditors. The fact still remains that in order to compromise systems common elements must remain. Buffer overflows are buffer overflows and network sweeps are network sweeps. Sure a signature based system may not catch 100% of the attacks 100% of the time, but they can catch a large percentage of attacks used by a large percentage of attackers. You may not be seen immediately, but eventually you'll do something to slip up and you will be spotted. It's just a matter of time in most cases because the combined probabilities of widescale monitoring combined with sweeping signatures are a powerful lever.
And forget structure for a minute... Stops "IP Land Attack" AAAHHHHH! Can I really become a millionaire by developing a HIPS for Windows for Workgroups 3.11??? Ok, that's a little extreme (however, still taken from the list above), but does "significance" have any meaning to anyone these days?
<speaking for myself> Don't blame the vendors. Blame the IDS testing people and creators of testing products who continue to test for attacks from the early 90's and ding the vendors when they don't detect them. Do you really think the vendors want to keep this stuff in the default signature base? Also just because a signature appears to be "old" doesn't mean the underlying principle of the signature isn't valid. In the case of the Land attack you have a packet flowing on the network that has the source/dest address and port set identically going to a target host. This is incredibly suspicious regardless of whether it works or not. It may not be relevant as a Land attack, but could post potential problems that are yet unknown (or more likely, destined to be repeated). At a minimum it's a sure sign that someone is on your network who is screwing with you.
So is the ability to stop a few attacks acceptable enough? Guess it entirely depends on your threshold. From the perspective of a vendor, I'd don't want to be responsible for developing a product that is deliberately limited - vendors should be developing the most thorough solutions conceivable - which means developing solutions around the threats, not marketing messages. It's unfortunate how blatantly this trend is declining.
Although we haven't defined what an acceptable threshold is and this varies by customer. For instance Cisco's Okena product (warning product placement in progress) can be setup with a very limited threshold of things it will block. Let's look at a policy that only monitored Microsoft Outlook and only blocked the ability of this program to read/write to files outside of it's defined workspace. This simple policy would stop a large number of Trojan horses immediately without having any signatures at all. How useful is such a simple policy? Very useful if you're a large enterprise plagued with worms. Is it worth paying bucks for and rolling out to your entire enterprise with just this feature turned on? Well if you asked me two years ago I would have said it probably wasn't, but today I'd say: "Who do I make the check out to?" So times have changed and strategies need to adapt. That is what makes computer security interesting after all.
I tend to agree, "true" Intrusion Prevention could be defined as "alien" technology, since known of the vendors can agree to what Intrusion Prevention really is. I guess marketingfolks/marketingcommunication folks will have something to do for the next few months and figure out what "snake oil" they can assemble.Vendors don't have to agree on anything and rarely do. The customer decides with their pocketbook.I owe you a beer.
How about some Tequila?
technologies just reported problems if you were lucky). With the widescale proliferation of worms, e-mail scams, etc. the benefit is becoming very obvious to many people that you need intrusionpreventiontechnology.Is preventing each of those threats at the location where an IDS has historically been placed the best solution? I just snipped a bunch of text that points to "no" being the answer.
If you had Okena loaded on your workstations and the *only thing* it ever did all year was block the RPC DCOM overflow it more than paid for itself in 2003 (and probably 2004,2005,2006).
We keep going back to dealing with these threats at the host, gateway, and other devices. In other words, more secure devices (network infrastructure devices as well as end systems). That's not IPS - that's a better and more secure system design from the beginning, and it doesn't require additional cost/administration overhead for perimeter-centric solutions.
Yeah but I'm a fatalist and I realize that networks will never be secure to this level. Patches will always remain unapplied, routers will always be misconfigured, and users will always run attachments that are called "runme.exe" Even if the system is designed to be secure it will always fail at some point. Programmers don't go out of their way to make programs insecure, it just happens. Having extra monitoring on the network and systems that can spot common issues and stop them in real-time is only a benefit.
Then why have an IDS? Auditing, log reduction, tracking, and forensics to name a few reasons. It's not that IDS was
Absolutely. I think this need will exist for a long time.
misrepresented from the beginning (as others stated early in this thread). I clearly remember leaning to use IDS years ago as a network auditing, surveillance, reporting, and forensics tool. I think some of the newer vendors have mis-sold themselves from the beginning, and that has created a host of new problems for vendors and end-users alike. Anyways... This thread can go in circles for weeks, and I bet $10 it won't stop until it's eventually killed. Since everyone has a different threshold (or understanding, which is worse when it's a vendor in question) for what they consider an "attack," the definitions for "intrusion" will be pretty different too. Because of that, good luck trying to get consensus on what a prevention "system" actually is - especially with vendors trying to push sales on this list.
Well I look at it this way: We don't need to decide what to call this new breed of technology because the markets will do it for you. For me intrusion prevention is just fine because people know what it means to them. Vendors who claim intrusion prevention but don't deliver it will become immediately apparent to those customers who are looking. After all, I can call a cat a dog all day long but in the end it's still a cat. -- Craig --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: True definition of Intrusion Golomb, Gary (Dec 30)
- RE: True definition of Intrusion Craig H. Rowland (Dec 30)