RE: True definition of Intrusion

["Craig H. Rowland" <crowland () cisco com>]

Hi Gary,

> Hi Craig (and list)... It's been a while... :)
>
> > > Here is the some of the attack patterns type signatures being 
> > > classified by many vendors who are no pushin Intrusion Prevention 
> > > attack detection
> > >
> > > FIN without ACK Attack
> > > FTP Buffer Overflow attack
> > > ICMP Flood Attack
> > > ICMP Fragment Attack
> > > ICMP Source Session Limit
> > > ICMP Sweep Attack
> > > Invalid URL Attack
> > > IP Fragment
> > > IP Land Attack
> > > IP Loose Source Record Routing
> > > IP Record routing
> > > IP Security Option
> > > IP Strict Source Record Routing
> > > IP Timestamp Option
> > > Large ICMP Packet Attack
> > > Ping of Death Attack
> > > POP2 Buffer Overflow Attack
> > > POP3 Buffer Overflow Attack
> > > Port Scan Attack
> > > SYN Flood Attack
> > > SYN Fragment Attack
> > > TCP with No Flag Attack
> > > UDP Flood Attack
> > > UDP Land Attack
> > > UDP Source Session Limit
> > > Unknown IP protocol
> > >
> > > None of the listed above, should be classified as Intrusion 
> > > Prevention, since they are really in essence "glorified" 
> Intrusion 
> > > Detection class patterns. Most of the listed above
> >
> > Why not? If it is a mechanism of intrusion, and can be 
> stopped before 
> > successful execution, then it has been prevented.
>
> Out of context, no one would disagree. How could anyone argue 
> that stopping activity well before it becomes an "intrusion" 
> is not intrusion prevention?!
>
> However, in context ("context" being the above list of 
> "intrusions" [biting cheek, really hard]), is a different 
> story. Paraphrasing what Mark said - most all of those 
> "attacks" (using that term as loosely as
> possible) can be trivially mitigated in most routers and 
> switches, including an $80 D-Link. 

I think we're reading too much into the word intrusion here. From my
perspective any malicious activity, including those that lead up to the
attack, are part of the intrusion attempt. If that means I stop a recon
probe from blossoming into a full-blown assault then the intrusion
prevention worked. If that means I missed everything up until the very
last moment when the stack is being corrupted and code is beginning to
run before it is stopped the intrusion prevention worked. The attacker
doesn't know the difference either. They just see the attack fail and
don't know why it failed. 

Also, FWIW, don't think that blocking all of those attacks can be done
with simple filters on a router. Some of those rules fall into the role
of TCP/IP normalization which requires quite a bit of logic and falls
outside of the scope of most network hardware. Other sigs in that very
brief list are obviously outside of the scope of most filters (buffer
overflow detection, URL parsing, etc.)
 
> This kind of brings us to the big joke of network IPS as it 
> stands today ("IPS" being network-based enterprise class 
> perimeter-focused solutions that are typically discussed). 
> Most people *assume* that since an IDS can audit 1000's of 
> different types of potential attacks, it would follow that an 
> IPS can stop the same number. IPS vendors routinely 
> capitalize on naive assumptions along these lines, and before 
> you know it, you have organizations like Gartner echoing 
> vendor marketing jingles without actually performing some 
> sort of validation testing themselves. 

I can't defend the network IPS vendors on their claims, I can only look
at what is *likely* based on my experience in the security industry for
a number of years. I think it's premature to judge what vendors can and
cannot do with respect to signatures and blocking. I happen to think
that traditional IDS is still a very useful tool, but I hate making
technology predictions against companies because they always blow up in
your face. Most of the world's problems have been solved by people and
companies that were initially told that "It can't be done!" So whether
the claims are fact or fiction isn't the main dispute in my mind as both
technologies are useful. For me it's a question about appropriate
application for the customer. As it stands now both IDS and IPS have
their place.
 
> I *LOVE* how every term in the vendor-supplied list at the 
> start of this email ends with the word "attack"!!! Really 
> think about that one for a minute... Have you ever pulled 
> back the hood of an IPS to see what RELEVANT activity it 
> *really* will and will not stop? Many of these [network] 
> devices are great at stopping "recon" and other "early" 
> activity. However, they also are making the assumption that 
> hackers follow the methodologies described in Hacking Exposed 
> and related introductory security texts. The only people I 
> routinely see employing such a structured approach to hacking 
> are security people - not hackers. And yes, before any IPS 
> zealots jump down my throat, there are other types of 
> activities that can be stopped (besides recon), but on *no* 
> scale *anywhere* near the number of activities that can be 
> audited with an IDS - good, bad, or indifferent. 

Again I'm not able to defend the IPS vendors, but I think your taking a
statement of conjecture and turning it into an undisputed fact. I've not
used the products closely enough to say what can and can't be done, but
I do know that most of the time marketing forces dictate that a vendor
can only get away with bold statements long enough before they're
either:

A) Rejected by the market for being liars
-or-
B) Accepted by the market for telling the truth

We'll just have to wait and see what happens in 2004.

As far as the other part is concerned (attack methods) it may be true
that hackers follow certain methodologies that are perhaps different
from those of, say, security auditors. The fact still remains that in
order to compromise systems common elements must remain. Buffer
overflows are buffer overflows and network sweeps are network sweeps.
Sure a signature based system may not catch 100% of the attacks 100% of
the time, but they can catch a large percentage of attacks used by a
large percentage of attackers. You may not be seen immediately, but
eventually you'll do something to slip up and you will be spotted. It's
just a matter of time in most cases because the combined probabilities
of widescale monitoring combined with sweeping signatures are a powerful
lever. 
 
> And forget structure for a minute... Stops "IP Land Attack" 
> AAAHHHHH! Can I really become a millionaire by developing a 
> HIPS for Windows for Workgroups 3.11??? Ok, that's a little 
> extreme (however, still taken from the list above), but does 
> "significance" have any meaning to anyone these days? 

<speaking for myself>

Don't blame the vendors. Blame the IDS testing people and creators of
testing products who continue to test for attacks from the early 90's
and ding the vendors when they don't detect them. Do you really think
the vendors want to keep this stuff in the default signature base? 

Also just because a signature appears to be "old" doesn't mean the
underlying principle of the signature isn't valid. In the case of the
Land attack you have a packet flowing on the network that has the
source/dest address and port set identically going to a target host.
This is incredibly suspicious regardless of whether it works or not. It
may not be relevant as a Land attack, but could post potential problems
that are yet unknown (or more likely, destined to be repeated). At a
minimum it's a sure sign that someone is on your network who is screwing
with you. 

> So is the ability to stop a few attacks acceptable enough? 
> Guess it entirely depends on your threshold. From the 
> perspective of a vendor, I'd don't want to be responsible for 
> developing a product that is deliberately limited - vendors 
> should be developing the most thorough solutions conceivable 
> - which means developing solutions around the threats, not 
> marketing messages. It's unfortunate how blatantly this trend 
> is declining. 

Although we haven't defined what an acceptable threshold is and this
varies by customer. For instance Cisco's Okena product (warning product
placement in progress) can be setup with a very limited threshold of
things it will block. 

Let's look at a policy that only monitored Microsoft Outlook and only
blocked the ability of this program to read/write to files outside of
it's defined workspace. This simple policy would stop a large number of
Trojan horses immediately without having any signatures at all. How
useful is such a simple policy? Very useful if you're a large enterprise
plagued with worms. Is it worth paying bucks for and rolling out to your
entire enterprise with just this feature turned on? Well if you asked me
two years ago I would have said it probably wasn't, but today I'd say:
"Who do I make the check out to?" So times have changed and strategies
need to adapt. That is what makes computer security interesting after
all.
 
> > > I tend to agree, "true" Intrusion Prevention could be defined as 
> > > "alien" technology, since known of the vendors can agree to what 
> > > Intrusion Prevention really is.  I guess marketing 
> folks/marketing 
> > > communication folks will have something to do for the next few 
> > > months and figure out what "snake oil" they can assemble.
> >
> > Vendors don't have to agree on anything and rarely do. The customer 
> > decides with their pocketbook.
>
> I owe you a beer. 

How about some Tequila?
 
> > technologies just reported problems if you were lucky). With the 
> > widescale proliferation of worms, e-mail scams, etc. the benefit is 
> > becoming very obvious to many people that you need intrusion
> prevention
> > technology.
>
> Is preventing each of those threats at the location where an 
> IDS has historically been placed the best solution? I just 
> snipped a bunch of text that points to "no" being the answer. 

If you had Okena loaded on your workstations and the *only thing* it
ever did all year was block the RPC DCOM overflow it more than paid for
itself in 2003 (and probably 2004,2005,2006). 

> We keep going back to dealing with these threats at the host, 
> gateway, and other devices. In other words, more secure 
> devices (network infrastructure devices as well as end 
> systems). That's not IPS - that's a better and more secure 
> system design from the beginning, and it doesn't require 
> additional cost/administration overhead for perimeter-centric 
> solutions. 

Yeah but I'm a fatalist and I realize that networks will never be secure
to this level. Patches will always remain unapplied, routers will always
be misconfigured, and users will always run attachments that are called
"runme.exe"
Even if the system is designed to be secure it will always fail at some
point. Programmers don't go out of their way to make programs insecure,
it just happens. Having extra monitoring on the network and systems that
can spot common issues and stop them in real-time is only a benefit.
 
> Then why have an IDS? Auditing, log reduction, tracking, and 
> forensics to name a few reasons. It's not that IDS was 

Absolutely. I think this need will exist for a long time.

> misrepresented from the beginning (as others stated early in 
> this thread). I clearly remember leaning to use IDS years ago 
> as a network auditing, surveillance, reporting, and forensics 
> tool. I think some of the newer vendors have mis-sold 
> themselves from the beginning, and that has created a host of 
> new problems for vendors and end-users alike. 
>
> Anyways... This thread can go in circles for weeks, and I bet 
> $10 it won't stop until it's eventually killed. Since 
> everyone has a different threshold (or understanding, which 
> is worse when it's a vendor in
> question) for what they consider an "attack," the definitions 
> for "intrusion" will be pretty different too. Because of 
> that, good luck trying to get consensus on what a prevention 
> "system" actually is - especially with vendors trying to push 
> sales on this list. 

Well I look at it this way: We don't need to decide what to call this
new breed of technology because the markets will do it for you. For me
intrusion prevention is just fine because people know what it means to
them. Vendors who claim intrusion prevention but don't deliver it will
become immediately apparent to those customers who are looking. After
all, I can call a cat a dog all day long but in the end it's still a
cat.

-- Craig


---------------------------------------------------------------------------
---------------------------------------------------------------------------