Random IDS Thoughts [WAS: Re: IDS thoughts]

[Greg Shipley <gshipley () neohapsis com>]

Interesting thread.  I started to quote bits and pieces, and then decided
to say "screw it" and just make this a much cleaner post.  (Albeit, I
suspect it's going to be a much *longer* post, but...)  So here goes...

A few observations, for whatever it's worth:

----------

1. Commodotization of the IDS space, in general: I was in the airport
coming back from Networld Interop (Vegas) and one of my fellow attendees
turned to me and said "Ya know, all these IDS vendors sound the same to
me.  I can't tell the difference anymore."  I thought this was an
interesting comment, and while I certainly don't agree that all IDS
vendors ARE the same (far from it, in fact), I doubt I would have heard
that comment even 12 months ago.  This is a sign, IMHO.

I think there *is* some amount of "convergence" in the space, and I'll
suggest that there is a lot more commonality between products these days
than there has been in the past.  For example, recall the "packet
grepping" vs. "protocol inspection" debate of a year ago; almost all NIDS
products support both models now.

But here's a thought for some to chew on: IMHO, there are different
components to an IDS "solution" and I think the focus is starting to
shift.  I think we, as an industry (myself included), have been very
sensor-centric in our views of NIDS...and I suspect that this is starting
to change.  When I talk to operators of enterprise NIDS deployments
they're chewing my ear off about data management, and more specifically,
data overload.  The sensor has to do its job, yes, but the big hurdle many
are facing is just digesting the amount of info coming at them.
False-positives or not, let's face it folks, if you have dozens of
devices, are monitoring busy networks, and aggregating your events
(firewall, NIDS, etc.), there's a good chance you're going to be choking
on a serious amount of data.  So I think DATA MANAGEMENT is going to
become (if it isn't already), a much bigger issue.  And I'm not just
talking log aggregation - I'm talking user interface, correlation, useful
tools, etc.

Will keeping up with new vulnerabilities, creating better engines,
improving detection accuracy, supporting higher speeds, etc., still be
challenging?  Absolutely.  But the sensor-based tech is just ONE
component, and I think features like device management, data management,
front-end interfaces (and tools to reduce analyst man-hours) are rapidly
growing in importance, and are going to be some of the bigger hurdles
moving forward.

All this to say that perhaps the NIDS *sensor* technology is moving
towards commoditization, but I think the overall solution has a far way to
go...

-------------

2. Something that came to mind with this statement: "Sure, all of them
might SAY they detect a PSD, but that doesn't mean they will do it
correctly or consistently."  So very, very, VERY true.
Signature/detection quality is STILL a big issue, and I can attest from
first-hand experience that not all signatures (or engines) are created
equal.  In putting a few products (now) through OSEC (see
http://osec.neohapsis.com), we indirectly found signature/engine combos
that simply did not "fire" right on some attacks.  We'd see things like a
sig firing with one traffic set, and not with another (using the same
attack).

OSEC (at least, v1 anyway)  wasn't designed to test signature coverage
(huge topic for another thread), but the few attacks we chose seemed to
flesh out some bigger issues.  I mean, consider this: we were using less
then a dozen attacks for base-lining purposes.  If we found problems in
that bunch - a ridiculously small sample size - I've got to imagine there
are some bigger problems in the space with consistently solid signatures.
Just a thought...

-------------

3. Firewalls, Layer7, implicit denies/drops, etc.: This is just an
opinion, but I believe that Layer7 "smarts" are going to return to the
perimeter device game...big-time.  Yes, Checkpoint all but killed the
proxy market, but in watching the maturity of BlackIce (now RealSecure),
the in-line normalization features of OneSecure (now Netscreen), the
evolution of BSD fw code, THE BOATLOAD OF "WEB APPLICATION FIREWALLS"
FLOODING THE MARKET RIGHT NOW, and some other signs, I think the existence
of Layer-7 "smarts" in NIDS and modern firewalls is only going to grow in
importance.  Layer-7 smarts meaning the ability to understand, and react,
to protocols; being able to detect that what is going over port 22 is not
SSH, being able to catch tunneled sessions in HTTP layers, being able to
do more then just inspect address and port combinations.

Layer-7 intelligence is one of the only ways to address some of today's
challenges, and the difference between now and say, 7-10 years ago, is
that I believe people in decision-making positions are actually starting
to GET THIS now.  But we might circle back and prove Greg wrong in 12
months, too, so I'll be around to eat crow if I'm wrong.  (the joys of
web archives!)

-------------

4. re: Fragrouter - "Fragrouter has done about everything that can be
sanely done to a packet through Layer 4."  Well, you might be right about
the "sane" part, but I'd encourage people to check out isic.  I see Mr.
Frantzen is on this list now (hello!), and his "isic" tool is something
people may want to consider trying.  Don't get me wrong, fragrouter is
great, but play around with isic a bit and you're guaranteed to have your
mind expanded.  Or at least, it got me thinking some more... (and broke a
few NIDS products in the process, too! :)

-------------

5. "Anomaly" stuff (my last point, I swear!): I seem to get into trouble
every time I bring up the word "anomaly," so I'll try to keep this one
brief.  I've been playing around with Lancope's StealthWatch in the lab,
and it started me thinking about a few things.  For those that aren't
familiar with SW, it essentially profiles network traffic flows (who is
talking to who and on what port), and will alarm on deviations based on a)
host traffic profiles, and b) a built-in weighting system.  It's an
interesting model, IMHO.

Most of the traditional NIDS players don't have the ability to do what SW
does, and SW can't detect anything that would traditionally be identified
by a typical NIDS signature.  For example, if your SMTP server gets wacked
from the outside using an SMTP-based vuln, and the attacker doesn't do
anything crazy with the server (like start "talking" to other systems it
wouldn't normally talk to), SW won't "detect" it.  BUT, if an attacker
comes in using a hijacked account (read: no exploitation of a known vuln,
which traditional signature-based NIDS will miss), wacks a system in the
DMZ, and starts accessing other systems, a traditional NIDS won't catch
THAT but SW *will*.

In short, StealthWatch (and others like it) and most traditional NIDS
solutions detect different things.  Now, I've heard (but haven't seen)
that Arbor, Mazu, and a few others are doing similar things, so this is
just one example, but this got me thinking:  For smaller orgs that don't
have the resources to monitor a gazillion alerts, which model would best
suite them?  Something signature based that will inevitably false through
the roof, or something that won't detect the majority of mainstream
attacks but will alert on truly suspicious host behavior?  (And "both" is
not an answer!)  :)

(This is more along the lines of that "low cost IDS" thread)

In short, there are some innovations out there that I'm excited to see
evolve, and I think there is a lot of room for improvement.  At the same
time, I'm appalled at how much attention IDS gets, and how little
attention vulnerability assessment gets, but that's a topic for a later
time...

-------------

Hope some of this is useful,

-Greg


-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------