Re: Is IDS/IPS worthless?

[Olaf Gellert <og () pre-secure de>]

SecurIT Informatique Inc. wrote:
> At 06:53 PM 21/02/2004, Olaf Gellert wrote:

> > It is even worse: The system does not make people feel
> > better (like a firewall), but it may show you all the
> > dangers coming from the net and the vulnerability of
> > you own network. So a big part of this is simple
> > psychology.
>
>
> Well, shoot me if I'm wrong, but putting the NIDS sensor behind the 
> firewall instead of in front of it (as you seem to imply) should BOTH 
> reduce the numbers of "dangers" that you should normally care about 
> (since the FW already blocks the one we don't have to care about), and 
> fill in the gap left by the false sense of security firewalls give (a 
> firewall makes people fell better, that has to be the worst reason I 
> ever heard to purchase a firewall) by applying intrusion detection 
> techniques to the traffic that the firewall has let pass thru.  Because 
> firewalls let traffic pass thru, or else you wouldn't need a firewall at 
> all since you'd be better off without an Internet connection.  They just 
> block traffic according to some rules in order to give access to some 
> network services, and it is on the traffic related to these services 
> that attention should be put on.
Sorry, you are getting me completely wrong: I am doing my PHD in
IDS technology and I certainly believe in the usefullness of IDS.
I did not want to say: This is the way it should be done. I just
said: This is the way, many people have setup IDS and are disappointed
and suprised by the amount of generated alerts. The bargain of an
IDS is much more difficult to see for people not deeply involved
in security.

> So in this regards, I think it is pretty doubtful to claim that with 
> IDS, you have nothing and you just have a bigger workload.  I think you 
> unvoluntarily demonstrated one of the biggest issues with IDS, a lack of 
> understanding of how the technology is to be applied, and how it is all 
> inter-related and maintained.
Well, would be great if you would have read my further paragraphs:
|This is my view of IDS in the near future: IDS has
|to be improved step by step. Eg. reduce the number of
|false positives, generate more specific alerts according
|not only to attacks used but also to the configuration
|of the attacked system (who cares about an MS cmd32.exe
|access on a linux apache webserver?). More dynamic
|evaluation of monitored (but new and unknown) things
|will be incorporated (honeycomb is one of the projects
|in this direction). And in a few years IDS will be a
|common network security technique.

Until now we are not at all there: If you ask me, an IDS will
be much more usefull, if it has knowledge about the whole
network configuration. Most IDS I know will raise an alert
on any attack that could work on an IIS-webserver. It would
be very helpful if they knew that there is an apache running
so the attack cannot be successful. The knowledge about
unseccessful attacks is something for statistics, but nothing
I would like to be wakened up for at three o'clock in the morning.
So future IDS will know "there is an apache 1.3.27, build 81,
running there on a SuSE Linux 8.2 on an Intel machine". So
they are able to decide: "This attack will not be successful".

And one step further: Future generations of IDS have to be
"policy-driven", so they should know about what is considered
valid usage of the network and probably they are able to proactively
scan for holes in the actual network security configuration.
I believe that IDS technology will be common and working in
a few years, but I also believe that there is still much to
be done to improve this technology.

> If I were to prove my point of view with a metaphor, I'd say that your 
> claim is like saying :"I've just purchased a new car, but I don't have a 
> driver's license and never read the car's manual, but it's no big deal, 
> I can drive it all right.  I've noticed I have a button to switch 
> headlights on, but I don't need it to drive at night and I think it's 
> just a waste of battery power, I can see all right at night from the 
> lightposts and the lights from the other cars."
Well, would you really say that people have this kind of view
on software? I have seen many people murning about their hard- and
software without even trying to understand the complexity of their
systems. And there is no drving license required for computer users.

> I'm not downplaying the role of firewalls here, but thinking they are 
> sufficient by themselves still in 2004 is just asking for a reality check.
Well, do you believe your IDS is ready to actually improve your
security directly? I do not trust any IDS enough to enable
reactive mechanisms (like sending RST-packets to close probably
dangerous connections). The actual profit of IDS is more on the
side of information-gathering (and this requires manual evaluation
of the data) to help in decisions concerning the security. A direct
benefit (like: switch it on and it improves your security) is
not reached until now. It is just: Switch it on and analyse the
data, gather knowledge about your security breaches and then
decide how to improve your security.

Cheers, Olaf

--
Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Consultant,                              Consulting GmbH
Phone: (+49) 0700 / PRESECURE           og () pre-secure de


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integrates 
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------