Re: Is IDS/IPS worthless?

["SecurIT Informatique Inc." <securit () iquebec com>]

At 05:48 PM 23/02/2004, Olaf Gellert wrote:

> SecurIT Informatique Inc. wrote:
> > At 06:53 PM 21/02/2004, Olaf Gellert wrote:
>
> > > It is even worse: The system does not make people feel
> > > better (like a firewall), but it may show you all the
> > > dangers coming from the net and the vulnerability of
> > > you own network. So a big part of this is simple
> > > psychology.
> >
> > Well, shoot me if I'm wrong, but putting the NIDS sensor behind the 
> > firewall instead of in front of it (as you seem to imply) should BOTH 
> > reduce the numbers of "dangers" that you should normally care about 
> > (since the FW already blocks the one we don't have to care about), and 
> > fill in the gap left by the false sense of security firewalls give (a 
> > firewall makes people fell better, that has to be the worst reason I ever 
> > heard to purchase a firewall) by applying intrusion detection techniques 
> > to the traffic that the firewall has let pass thru.  Because firewalls 
> > let traffic pass thru, or else you wouldn't need a firewall at all since 
> > you'd be better off without an Internet connection.  They just block 
> > traffic according to some rules in order to give access to some network 
> > services, and it is on the traffic related to these services that 
> > attention should be put on.
> Sorry, you are getting me completely wrong: I am doing my PHD in
> IDS technology and I certainly believe in the usefullness of IDS.
> I did not want to say: This is the way it should be done. I just
> said: This is the way, many people have setup IDS and are disappointed
> and suprised by the amount of generated alerts. The bargain of an
> IDS is much more difficult to see for people not deeply involved
> in security.

I'm sorry I misunderstood your position from what you were writing, but I'd 
say that my comments would still apply to anyone thinking along the lines 
of what you were describing.

> > So in this regards, I think it is pretty doubtful to claim that with IDS, 
> > you have nothing and you just have a bigger workload.  I think you 
> > unvoluntarily demonstrated one of the biggest issues with IDS, a lack of 
> > understanding of how the technology is to be applied, and how it is all 
> > inter-related and maintained.
> Well, would be great if you would have read my further paragraphs:
> |This is my view of IDS in the near future: IDS has
> |to be improved step by step. Eg. reduce the number of
> |false positives, generate more specific alerts according
> |not only to attacks used but also to the configuration
> |of the attacked system (who cares about an MS cmd32.exe
> |access on a linux apache webserver?). More dynamic
> |evaluation of monitored (but new and unknown) things
> |will be incorporated (honeycomb is one of the projects
> |in this direction). And in a few years IDS will be a
> |common network security technique.

I have read your other paragraphs, I just didn't want to take down your 
post point by point.  I agree with you that IDS will evolve and improve 
over time, if you have catched first posting on this thread, you would have 
seen that I defend the same point of view, and that I am very involved in 
making these evolutions happen.  First of all, you seem to make the same 
mistake as many other people, that is confusing IDS and NIDS together.  One 
is only a subset of the other, and the future improvements you suggest only 
seem to apply to NIDS only, which is I think a limitating view of what 
intrusion detection should be.  I agree with you that the danger factor of 
a Windows-based attack on a *NIX machine is very low, but there are ways 
with the currently available technology to filter out these alerts and 
concentrate only on what can hurt us.  This is not science fiction.

> Until now we are not at all there: If you ask me, an IDS will
> be much more usefull, if it has knowledge about the whole
> network configuration. Most IDS I know will raise an alert
> on any attack that could work on an IIS-webserver. It would
> be very helpful if they knew that there is an apache running
> so the attack cannot be successful. The knowledge about
> unseccessful attacks is something for statistics, but nothing
> I would like to be wakened up for at three o'clock in the morning.
> So future IDS will know "there is an apache 1.3.27, build 81,
> running there on a SuSE Linux 8.2 on an Intel machine". So
> they are able to decide: "This attack will not be successful".

Here again, for sake of simplicity I'd say that you're talking about 
NIDS.  NIDS on one side are going to evolve, but I see very little 
advancemements that could be made with signature-based approach that will 
soon be attained.  "Gaining knowledge of the network" automatically sure 
would be a great thing, but this is not excuse for today's situation, since 
the same results can be achieved with some time dedicated at configuring 
the softwares correctly.  For IDS technology to really evolve, it will have 
to be much more than just evolving NIDS technologies, but other aspects of 
intrusion detection as well.  For example, I've built the tools I made 
around the idea that there are various vectors from which an intrusion 
occurs, and monitors should be applied at each of these vectors.  This is 
not "intrusion detection from the network point of view", it is "intrusion 
detection for the intruder's point of view", which is what it should be 
since the start.  The network is definitely one of these point of views, 
and in this sense NIDS make very much sense in a complete architecture, but 
just like firewalls, I don't think one should limit himself to only NIDS 
when looking at IDS.  Since you're doing your PhD in the IDS field, I'd 
like to take this opportunity to invite you to visit my website 
http://securit.iquebec.com/ and take a look at the tools presented there, I 
think you'll find that there are now new things to consider when talking IDS.

> And one step further: Future generations of IDS have to be
> "policy-driven", so they should know about what is considered
> valid usage of the network and probably they are able to proactively
> scan for holes in the actual network security configuration.
> I believe that IDS technology will be common and working in
> a few years, but I also believe that there is still much to
> be done to improve this technology.

There are already vulnerability scanners out there, so it's hard to say 
that this does not exist today, but I agree with you that combining 
vulnerability assesment strategies with intrusion detection should greatly 
help at tightening down a network security.

> > If I were to prove my point of view with a metaphor, I'd say that your 
> > claim is like saying :"I've just purchased a new car, but I don't have a 
> > driver's license and never read the car's manual, but it's no big deal, I 
> > can drive it all right.  I've noticed I have a button to switch 
> > headlights on, but I don't need it to drive at night and I think it's 
> > just a waste of battery power, I can see all right at night from the 
> > lightposts and the lights from the other cars."
> Well, would you really say that people have this kind of view
> on software? I have seen many people murning about their hard- and
> software without even trying to understand the complexity of their
> systems. And there is no drving license required for computer users.

Yes, I know that most people installs and use software without reading any 
book, I often do that myself with computer games, discovering is part of 
the fun.  But when it comes to security software, due to the nature of what 
you are trying to do, I think that proper preparation should be applied if 
we want our efforts to be successful.  What I meant with my metaphor is 
that, you may know how to operate a network sufficiently so that work gets 
done (you can drive it), but you don't know enough to be fully aware of the 
security issues associated to having a network connected to the Internet 
(you don't know what's that "headlights" button is all about, and you 
didn't need it so far, so you just don't mind about it, anyway you have 
already too much to care about as it is).  The network runs fine, and you 
see the firewall block all sorts of weird traffic, and all seems fine, so 
you assume that all is well (he can see even if the headlights are off, so 
why bother).  But if he puts the headlights on (installs an IDS console), 
he will then be able to see traffic from a much greater distance, he could 
see pedestrians, see holes in the road that could damage the car, he could 
go to darkened places without relying on other cars to see, etc.  With some 
much more info, our new driver finds himself to be able to drive in much 
more secure conditions, since he is more aware of the dangers his car are 
really exposed to when he is driving.  If he would have taken time to 
document himself, our fictious driver would have known what that knob was 
about from the start, and would have been to practice safe driving much 
earlier without endangering himself or others.

> > I'm not downplaying the role of firewalls here, but thinking they are 
> > sufficient by themselves still in 2004 is just asking for a reality check.
> Well, do you believe your IDS is ready to actually improve your
> security directly? I do not trust any IDS enough to enable
> reactive mechanisms (like sending RST-packets to close probably
> dangerous connections). The actual profit of IDS is more on the
> side of information-gathering (and this requires manual evaluation
> of the data) to help in decisions concerning the security. A direct
> benefit (like: switch it on and it improves your security) is
> not reached until now. It is just: Switch it on and analyse the
> data, gather knowledge about your security breaches and then
> decide how to improve your security.

That question is all what IPS are all about.  Don't ask me to take sides 
with IPS.  But I do believe that IDS technologies (and not just NIDS) will 
one day evolve to a point where automatic action will be possible for most 
attacks.  There is always a window of opportunity to consider where things 
might fail, so reporting is also a strong concern for human interaction, 
but I don't see why some of the counter-reaction mechanisms couldn't be 
underdone by the IDS itself.  As for the "switch it on and it improves your 
security" thing, I'd say don't hold your breath on it, this sounds pretty 
much like the infamous silver bullet, and it's just gonna never 
happen.  There are just too many things to consider when thinking intrusion 
vectors for a single product to cover everything.

No hard feelings ;-)

Adam Richard

> Cheers, Olaf
>
> --
> Dipl.Inform. Olaf Gellert                  PRESECURE (R)
> Consultant,                              Consulting GmbH
> Phone: (+49) 0700 / PRESECURE           og () pre-secure de
>
> _____________________________________________________________________
> Un mot doux à envoyer? Une sortie ciné à organiser? Faites le en temps
> réel avec MSN Messenger! C'est gratuit!   http://ifrance.com/_reloc/m

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integrates 
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------