IDS mailing list archives
Random IDS Thoughts [WAS: Re: IDS thoughts]
From: Greg Shipley <gshipley () neohapsis com>
Date: Thu, 29 May 2003 17:54:23 -0500 (CDT)
Interesting thread. I started to quote bits and pieces, and then decided to say "screw it" and just make this a much cleaner post. (Albeit, I suspect it's going to be a much *longer* post, but...) So here goes... A few observations, for whatever it's worth: ---------- 1. Commodotization of the IDS space, in general: I was in the airport coming back from Networld Interop (Vegas) and one of my fellow attendees turned to me and said "Ya know, all these IDS vendors sound the same to me. I can't tell the difference anymore." I thought this was an interesting comment, and while I certainly don't agree that all IDS vendors ARE the same (far from it, in fact), I doubt I would have heard that comment even 12 months ago. This is a sign, IMHO. I think there *is* some amount of "convergence" in the space, and I'll suggest that there is a lot more commonality between products these days than there has been in the past. For example, recall the "packet grepping" vs. "protocol inspection" debate of a year ago; almost all NIDS products support both models now. But here's a thought for some to chew on: IMHO, there are different components to an IDS "solution" and I think the focus is starting to shift. I think we, as an industry (myself included), have been very sensor-centric in our views of NIDS...and I suspect that this is starting to change. When I talk to operators of enterprise NIDS deployments they're chewing my ear off about data management, and more specifically, data overload. The sensor has to do its job, yes, but the big hurdle many are facing is just digesting the amount of info coming at them. False-positives or not, let's face it folks, if you have dozens of devices, are monitoring busy networks, and aggregating your events (firewall, NIDS, etc.), there's a good chance you're going to be choking on a serious amount of data. So I think DATA MANAGEMENT is going to become (if it isn't already), a much bigger issue. And I'm not just talking log aggregation - I'm talking user interface, correlation, useful tools, etc. Will keeping up with new vulnerabilities, creating better engines, improving detection accuracy, supporting higher speeds, etc., still be challenging? Absolutely. But the sensor-based tech is just ONE component, and I think features like device management, data management, front-end interfaces (and tools to reduce analyst man-hours) are rapidly growing in importance, and are going to be some of the bigger hurdles moving forward. All this to say that perhaps the NIDS *sensor* technology is moving towards commoditization, but I think the overall solution has a far way to go... ------------- 2. Something that came to mind with this statement: "Sure, all of them might SAY they detect a PSD, but that doesn't mean they will do it correctly or consistently." So very, very, VERY true. Signature/detection quality is STILL a big issue, and I can attest from first-hand experience that not all signatures (or engines) are created equal. In putting a few products (now) through OSEC (see http://osec.neohapsis.com), we indirectly found signature/engine combos that simply did not "fire" right on some attacks. We'd see things like a sig firing with one traffic set, and not with another (using the same attack). OSEC (at least, v1 anyway) wasn't designed to test signature coverage (huge topic for another thread), but the few attacks we chose seemed to flesh out some bigger issues. I mean, consider this: we were using less then a dozen attacks for base-lining purposes. If we found problems in that bunch - a ridiculously small sample size - I've got to imagine there are some bigger problems in the space with consistently solid signatures. Just a thought... ------------- 3. Firewalls, Layer7, implicit denies/drops, etc.: This is just an opinion, but I believe that Layer7 "smarts" are going to return to the perimeter device game...big-time. Yes, Checkpoint all but killed the proxy market, but in watching the maturity of BlackIce (now RealSecure), the in-line normalization features of OneSecure (now Netscreen), the evolution of BSD fw code, THE BOATLOAD OF "WEB APPLICATION FIREWALLS" FLOODING THE MARKET RIGHT NOW, and some other signs, I think the existence of Layer-7 "smarts" in NIDS and modern firewalls is only going to grow in importance. Layer-7 smarts meaning the ability to understand, and react, to protocols; being able to detect that what is going over port 22 is not SSH, being able to catch tunneled sessions in HTTP layers, being able to do more then just inspect address and port combinations. Layer-7 intelligence is one of the only ways to address some of today's challenges, and the difference between now and say, 7-10 years ago, is that I believe people in decision-making positions are actually starting to GET THIS now. But we might circle back and prove Greg wrong in 12 months, too, so I'll be around to eat crow if I'm wrong. (the joys of web archives!) ------------- 4. re: Fragrouter - "Fragrouter has done about everything that can be sanely done to a packet through Layer 4." Well, you might be right about the "sane" part, but I'd encourage people to check out isic. I see Mr. Frantzen is on this list now (hello!), and his "isic" tool is something people may want to consider trying. Don't get me wrong, fragrouter is great, but play around with isic a bit and you're guaranteed to have your mind expanded. Or at least, it got me thinking some more... (and broke a few NIDS products in the process, too! :) ------------- 5. "Anomaly" stuff (my last point, I swear!): I seem to get into trouble every time I bring up the word "anomaly," so I'll try to keep this one brief. I've been playing around with Lancope's StealthWatch in the lab, and it started me thinking about a few things. For those that aren't familiar with SW, it essentially profiles network traffic flows (who is talking to who and on what port), and will alarm on deviations based on a) host traffic profiles, and b) a built-in weighting system. It's an interesting model, IMHO. Most of the traditional NIDS players don't have the ability to do what SW does, and SW can't detect anything that would traditionally be identified by a typical NIDS signature. For example, if your SMTP server gets wacked from the outside using an SMTP-based vuln, and the attacker doesn't do anything crazy with the server (like start "talking" to other systems it wouldn't normally talk to), SW won't "detect" it. BUT, if an attacker comes in using a hijacked account (read: no exploitation of a known vuln, which traditional signature-based NIDS will miss), wacks a system in the DMZ, and starts accessing other systems, a traditional NIDS won't catch THAT but SW *will*. In short, StealthWatch (and others like it) and most traditional NIDS solutions detect different things. Now, I've heard (but haven't seen) that Arbor, Mazu, and a few others are doing similar things, so this is just one example, but this got me thinking: For smaller orgs that don't have the resources to monitor a gazillion alerts, which model would best suite them? Something signature based that will inevitably false through the roof, or something that won't detect the majority of mainstream attacks but will alert on truly suspicious host behavior? (And "both" is not an answer!) :) (This is more along the lines of that "low cost IDS" thread) In short, there are some innovations out there that I'm excited to see evolve, and I think there is a lot of room for improvement. At the same time, I'm appalled at how much attention IDS gets, and how little attention vulnerability assessment gets, but that's a topic for a later time... ------------- Hope some of this is useful, -Greg ------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Re: IDS thoughts, (continued)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Thomas H . Ptacek (May 20)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Thomas H . Ptacek (May 20)
- Re: IDS thoughts Ramani Yellapragada (May 20)
- Re: IDS thoughts Lance Spitzner (May 21)
- Re: IDS thoughts Stefano Zanero (May 27)
- Re: IDS thoughts Bill Royds (May 21)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Roger A. Grimes (May 21)
- Re: IDS thoughts Raistlin (May 27)
- Random IDS Thoughts [WAS: Re: IDS thoughts] Greg Shipley (May 29)
- Message not available
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] SecurIT Informatique Inc. (May 30)