IDS mailing list archives
Re: Is IDS/IPS worthless?
From: Olaf Gellert <og () pre-secure de>
Date: Mon, 23 Feb 2004 23:48:26 +0100
SecurIT Informatique Inc. wrote:
At 06:53 PM 21/02/2004, Olaf Gellert wrote:
It is even worse: The system does not make people feel better (like a firewall), but it may show you all the dangers coming from the net and the vulnerability of you own network. So a big part of this is simple psychology.Well, shoot me if I'm wrong, but putting the NIDS sensor behind the firewall instead of in front of it (as you seem to imply) should BOTH reduce the numbers of "dangers" that you should normally care about (since the FW already blocks the one we don't have to care about), and fill in the gap left by the false sense of security firewalls give (a firewall makes people fell better, that has to be the worst reason I ever heard to purchase a firewall) by applying intrusion detection techniques to the traffic that the firewall has let pass thru. Because firewalls let traffic pass thru, or else you wouldn't need a firewall at all since you'd be better off without an Internet connection. They just block traffic according to some rules in order to give access to some network services, and it is on the traffic related to these services that attention should be put on.
Sorry, you are getting me completely wrong: I am doing my PHD in IDS technology and I certainly believe in the usefullness of IDS. I did not want to say: This is the way it should be done. I just said: This is the way, many people have setup IDS and are disappointed and suprised by the amount of generated alerts. The bargain of an IDS is much more difficult to see for people not deeply involved in security.
So in this regards, I think it is pretty doubtful to claim that with IDS, you have nothing and you just have a bigger workload. I think you unvoluntarily demonstrated one of the biggest issues with IDS, a lack of understanding of how the technology is to be applied, and how it is all inter-related and maintained.
Well, would be great if you would have read my further paragraphs: |This is my view of IDS in the near future: IDS has |to be improved step by step. Eg. reduce the number of |false positives, generate more specific alerts according |not only to attacks used but also to the configuration |of the attacked system (who cares about an MS cmd32.exe |access on a linux apache webserver?). More dynamic |evaluation of monitored (but new and unknown) things |will be incorporated (honeycomb is one of the projects |in this direction). And in a few years IDS will be a |common network security technique. Until now we are not at all there: If you ask me, an IDS will be much more usefull, if it has knowledge about the whole network configuration. Most IDS I know will raise an alert on any attack that could work on an IIS-webserver. It would be very helpful if they knew that there is an apache running so the attack cannot be successful. The knowledge about unseccessful attacks is something for statistics, but nothing I would like to be wakened up for at three o'clock in the morning. So future IDS will know "there is an apache 1.3.27, build 81, running there on a SuSE Linux 8.2 on an Intel machine". So they are able to decide: "This attack will not be successful". And one step further: Future generations of IDS have to be "policy-driven", so they should know about what is considered valid usage of the network and probably they are able to proactively scan for holes in the actual network security configuration. I believe that IDS technology will be common and working in a few years, but I also believe that there is still much to be done to improve this technology.
If I were to prove my point of view with a metaphor, I'd say that your claim is like saying :"I've just purchased a new car, but I don't have a driver's license and never read the car's manual, but it's no big deal, I can drive it all right. I've noticed I have a button to switch headlights on, but I don't need it to drive at night and I think it's just a waste of battery power, I can see all right at night from the lightposts and the lights from the other cars."
Well, would you really say that people have this kind of view on software? I have seen many people murning about their hard- and software without even trying to understand the complexity of their systems. And there is no drving license required for computer users.
I'm not downplaying the role of firewalls here, but thinking they are sufficient by themselves still in 2004 is just asking for a reality check.
Well, do you believe your IDS is ready to actually improve your security directly? I do not trust any IDS enough to enable reactive mechanisms (like sending RST-packets to close probably dangerous connections). The actual profit of IDS is more on the side of information-gathering (and this requires manual evaluation of the data) to help in decisions concerning the security. A direct benefit (like: switch it on and it improves your security) is not reached until now. It is just: Switch it on and analyse the data, gather knowledge about your security breaches and then decide how to improve your security. Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Consultant, Consulting GmbH Phone: (+49) 0700 / PRESECURE og () pre-secure de --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus ProtectionProtect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 ---------------------------------------------------------------------------
Current thread:
- Re: Is IDS/IPS worthless?, (continued)
- Re: Is IDS/IPS worthless? Konrad Rieck (Feb 23)
- RE: Is IDS/IPS worthless? Brian Taylor (Feb 23)
- RE: Is IDS/IPS worthless? Fergus Brooks (Feb 23)
- RE: Is IDS/IPS worthless? Duston Sickler (Feb 24)
- RE: Is IDS/IPS worthless? Fergus Brooks (Feb 23)
- RE: Is IDS/IPS worthless? Omar Herrera (Feb 23)
- Re: Is IDS/IPS worthless? Michael Stone (Feb 23)
- Re: Is IDS/IPS worthless? Andy Cuff (Feb 23)
- Re: Is IDS/IPS worthless? Mike Hoskins (Feb 23)
- Re: Is IDS/IPS worthless? Olaf Gellert (Feb 23)
- Re: Is IDS/IPS worthless? SecurIT Informatique Inc. (Feb 23)
- Re: Is IDS/IPS worthless? Olaf Gellert (Feb 23)
- Re: Is IDS/IPS worthless? SecurIT Informatique Inc. (Feb 23)
- Re: Is IDS/IPS worthless? Xiaoyong Wu (Feb 24)
- Re: Is IDS/IPS worthless? Michael Stone (Feb 25)
- Re: Is IDS/IPS worthless? SecurIT Informatique Inc. (Feb 23)
- Re: Is IDS/IPS worthless? Mike Hoskins (Feb 23)
- RE: Is IDS/IPS worthless? Martin (Feb 23)