IDS mailing list archives
Usefulness of Network Intrusion Detection Systems
From: Thomas <TheTom () UnixIsNot4Dummies ORG>
Date: Tue, 25 May 2004 14:20:57 +0200
Hello everybody, I write this eMail to receive more valuable response about this issue. It is not meant as offense or as an act of arrogance. I recently had a discussion about the usefullness of network-based IDSs. In my opinion there is too much valueable effort wasted in developing engines to keep track of network-traffic collected via sniffing sensors for intrusion detection. Network-based IDSs should be limited to attacks on the network layer not the application layer. IP spoofing, ARP cache poisoning and similiar attacks can only be detected by NIDSs but parsing and keeping track of application data sent over the network as well as the current execution path state of an application is too complex and too error prone (often proofed in the past). Maybe people are just doing it for fun or to suffice the marketing hype... I do not know. This behaviour is similiar to a hostbased IDS that tries to monitor SQL transactions by analyzing arguments to syscalls like read() and write(). Looking at a system like this should just force one reaction from an educated person: "What is this stupid thing doing? It operates on a different layer not on the the more abstract application layer." Yes, developing such a system proofs the misguided mind of a developer. What does the HIDS know about roles in an SQL environment, what about transaction ACLs, what about table contents? One argument I got was: "Having *one* NIDS at the right place helps to stop intrusions over the network. The admin doesn't need to update all machines constantly. If an attack is detected the IP will be blocked." Beside the fact that IP addresses can be spoofed and that the admin has to update the signature database too, the shellcode of "rm -rf / &" (or whatever) is still running even if the suspicious connection was interrupted. So why not develop an easy to use online update service that works on the various Linux distributions as well as on other Unices or even Windows system? This update service can monitor the updates sites of the vendors regulary and may be controlled centrally. So, there is not much more work then administrating an node-based or sniffer-based NIDS. And now the network is even more secure! Sure everyone can do what s/he likes to do in his/her spare-time but sometime it looks like uncontrolled activism. :) To avoid misunderstanding, I see the usefullness of NIDS in protecting network components or to detect attacks on the network layer, even for reasons of eForensic it is useful (s. compromises of Debian(???) servers), but everything else looks like a waste of time for me. Additionally companies do not care much about switches, routers or web-servers. Sure they got bad PR if it is compromised or turned off but there is no direct lost of money connected with it. The direkt value lies in the data, plaintext emails on hard disks, protocols about conference calls with co-companies, transactions to suppliers, and so on. Your comments are welcome! Bye, Thomas --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Usefulness of Network Intrusion Detection Systems Thomas (May 25)
- Re: Usefulness of Network Intrusion Detection Systems Gary Flynn (May 26)
- Re: Usefulness of Network Intrusion Detection Systems Thomas (May 27)
- Re: Usefulness of Network Intrusion Detection Systems James Riden (May 26)
- Re: Usefulness of Network Intrusion Detection Systems Thomas (May 27)
- Re: Usefulness of Network Intrusion Detection Systems James Riden (May 28)
- RE: Usefulness of Network Intrusion Detection Systems Rob Shein (May 28)
- Re: Usefulness of Network Intrusion Detection Systems Thomas (May 27)
- Re: Usefulness of Network Intrusion Detection Systems James Fields (May 28)
- Re: Usefulness of Network Intrusion Detection Systems Thomas (May 28)
- Re: Usefulness of Network Intrusion Detection Systems Gary Flynn (May 26)