IDS mailing list archives
Re: Rather funny; looks like page defacement to me
From: "Robert Huber" <bob () swarmsecure com>
Date: Tue, 17 Jun 2003 23:41:37 -0400
I'll add fuel to the fire... While IDS systems can be a burden on your staff for many of the reasons cited, they also pay for themselves when you are tying to track down an incident, or the latest outbreak of "name_your_worm". For instance, in the recent round of the MS SQL Server worm, "Slammer", we used our IDS to track the flow of the worm within the company and were able to eradicate the worm within minutes. Without the IDS in place, we would not have known the worm had even penetrated our networks for hours most likely. If you compare that to Code Red, where we spent many man hours trying to secure our networks, which we have a cost associated with, we can show a significant savings by having IDS to identify the Slammer worm. I see several flaws in your article as well. Such as "A taxing incident-response process". Surely, incidents must only happen with IDS systems?? Incidents occur whether you have an IDS or not, and if you don't, good luck trying to reconstruct the event using a firewall only. "An inability to monitor traffic at transmission rates greater than 600 megabits per second ". Hmm..., they aren't many organizations out there going above 600Mbs, and if so, I can think of several solutions that can deal with these speeds at ease, not to mention the fact that this speed will not matter to my host based IDS. "Firewalls are the most-effective defense against cyberintruders on the network, and they are becoming increasingly better at blocking network-based attacks," said Stiennon." Please,,,, you can walk right through most firewalls without an issue. The market leader in firewalls is not an application firewall, so I can tunnel anything through port 80. Yes, they have a newly built-in defense, but only with about 20 attacks they look for, not to mention they can barely perform at gig speeds, so if they can't why would I need an IDS that can? Keep in mind that if your firewall is blocking attacks, then it must look for them, which means in retrospect it is performing intrusion detection analysis on the traffic Do you think a firewall will be able to look for thousands of variations of attacks and still route traffic effectively at gig speeds? That's probably why they limit the number of signatures they have in their defense. ". . . vendors are now hyping intrusion prevention systems, which have also stalled," said Richard Stiennon, research vice president for Gartner". Isn't a firewall running some packet level IDS inspection performing IPS? Isn't that what you are trying to push? Then how can IPS be failing? A firewall with say, Smartdefense, is really IPS is it not? They didn't even mention inline IDS systems such as Hogwash, RealSecure Guard etc.....Funny how one organization can change the landscape with such an article. As previously mentioned, my organization pays to hear the thoughts of Gartner, no matter how (in)accurate they may be...hook, line and sinker. Bob ----- Original Message ----- From: <broyds () rogers com> To: "Anton Chuvakin" <anton () chuvakin org>; <focus-ids () securityfocus com> Sent: Friday, June 13, 2003 3:48 PM Subject: Re: Rather funny; looks like page defacement to me
In general, they are perfectly correct. Most IDS installations are very expensive packet sniffers because most
installations know so little about their enterprise network that they are unable to tune it in any meaningful way or design and place the sensors to monitor meaningful traffic.
I am not saying the IDS are always useless, but they are most useful as
part of a well designed network that partitions traffic so that there is a good baseline understanding of what traffic should appear on each segment.
Interestingly, they denigrate Intrusion Prevention Systems and hail
firewalls, when an IPS is really a firewall with dynamically generated rule set. Most of use would agree that an internal office network requires a firewall between it and the Internet. The firewall normally only has a static rule set that basically only guarantees that TCP virtual circuits have correct TCP semantics and , for application gateways, that the traffic follows the protocol RFC. Most attacks these days are not at the layer 2/layer 3 level guarded by a firewall, but at layer 7 or above, using the fact that Application protocols like HTTP, FTP, SMTP etc. have enough holes in them that a perfectly standards conforming stream can be used to attack a host at the end of the stream.
Most IDS are still installed by people who don't even understand TP/IP,
let alone HTTP, or the proprietary stuff coming from Real Networks or Microsoft. How are they going to properly tune an IDS to avoid wasting a lot of time and effort on false positives or, conversely, ignoring everything so the IDS has no teeth.
So most IDS systems are a waste of money. They may be useful if they are
installed by a MSSP who actually understands security, but not by the average sysadmin handed another box and told to install the IDS because the auditors say we need one.
From: Anton Chuvakin <anton () chuvakin org> Date: 2003/06/13 Fri AM 11:29:51 EDT To: focus-ids () securityfocus com Subject: Rather funny; looks like page defacement to me All, This link posted on the snort site. I figured I'd send it to the list, since its a fascinating read. http://www.gartner.com/5_about/press_releases/pr11june2003c.jsp My first impression was that it is a page defacement, so outrageous some claims are. For instance, did you know that IDS actually _cause_
incident
response to happen? :-) Or this gem : "Money Slated for Intrusion Detection Should Be Invested in Firewalls"? Best, -- Anton A. Chuvakin, Ph.D., GCI* http://www.chuvakin.org http://www.info-secure.org--------------------------------------------------------------------------
-----
INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM
capabilities
- including intrusion identification, relevancy, direction, impact and
analysis
- enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths,
Challenges, and Requirements" at:
http://www.securityfocus.com/IntruVert-focus-ids2--------------------------------------------------------------------------
-----
--------------------------------------------------------------------------
-----
INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and
analysis
- enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges,
and Requirements" at:
http://www.securityfocus.com/IntruVert-focus-ids2 --------------------------------------------------------------------------
-----
------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me), (continued)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Mike Lyman (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Jim Butterworth (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Angel Rivera (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Mike Lyman (Jun 17)
- RE: Rather funny; looks like page defacement to me Roger A. Grimes (Jun 17)
- Re: Rather funny; looks like page defacement to me Bill Royds (Jun 17)
- RE: Rather funny; looks like page defacement to me Roger A. Grimes (Jun 17)
- Re: Rather funny; looks like page defacement to me Callan K L Tham (Jun 17)
- Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 17)
- Re: Rather funny; looks like page defacement to me Bill Royds (Jun 18)
- Re: Rather funny; looks like page defacement to me Callan K L Tham (Jun 18)