IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewalls (was Re: IDS evaluations procedures)

From: Fergus Brooks <fergwa () gmail com>
Date: Tue, 26 Jul 2005 09:03:34 +0800
Thanks for your comments Jason. 

So does this lead us to the opinion that "...organisations that can't
afford or don't feel the need for security experts..." should be the
ones using the UTM appliances mentioned above and that organisations
with the resources and a solid belief in effective security should
either employ security experts who decide which tools they need to do
the job or outsource to dedicated manged security providers?

I suggest that any organisation who fits into this category should
employ a layered approach that includes, at least, dual-skinned
perimeter firewalls (packet filter and proxy,) bastion front-end
hosts, intrusion detection systems, mitigation systems (or methods in
the case of using existing devices like routers & firewalls) and some
kind of protocol and network behavioural anomaly detection to profile
zero-hour attacks and also see the 90%-plus network impacting events
that aren't security related.

I won't even bother covering anti-virus or content filtering. Then it
is time to add a SIM app like MARS to reduce console shock and provide
for correlation and aggregation of the myriad number of alerts and
reports.

Without flogging a dead horse my point is that vendors suggesting to
large enterprise clients that they have a mechanical silver bullet are
minimising the value that professional consultants bring to holding
this very necessary framework together. No machine can compete with
the intuitive and experienced problem-solving processes of a properly
trained and resourced human. Do we want the security of our money,
cities, credit card debt (oh don't know how that last one slipped in
there...) protected by anything else?

Outsourced security providers add a layer of independence and
expertise to this approach, be it for one set of tools or everything.
Security professionals should be encouraging clients to resource their
staff adequately or outsource. The vendors should be increasing the
value of their products by training the channel (not an easy thing to
do when they don't want to get trained!) and insisting that initial &
ongoing services are bundled with the product to ensure effective
implementation and integration. What is wrong with the concept of
selling quarterly health checks with the box/software? Adds value to
the overall deal, provides for repeat revenue, and improves the
reputation and competitive stature of the reseller.

If it was me who had spent 30-odd grand on a couple of perimeter IDS'
that send alerts to an email account nobody checks I would be a very
hard person to sell anything with "Intrusion" in the name...







On 7/26/05, Ha, Jason <JHa () verisign com au> wrote:

Hi Fergus,

"here here!" to your mentioned points. There definitely has been a push from many of the large vendors for fully 
automated solutions with minimal human interaction (Cisco's self-defending network model comes to mind). I'm not sure 
if their intent is to replace security experts, but I'm hazarding a guess that it's aimed at organisations that can't 
afford or don't feel the need for security experts.

Being someone who also has a good chunk of experience with managed IDS, it certainly isn't possible to have an 
effective solution without both the technology and the personal expertise. IDS solutions without the consultive 
expertise often sit there unused, and no matter how much of a security guru you are, attempting to monitor intrusions 
manually without an IDS would be somewhat laborious.

An IDS provides visibility, but that visibility has no meaning if it's not seen by anyone, and those who do see it, 
don't understand it.

Regards,

Jason

-----Original Message-----
    From: "Fergus Brooks" <fergwa () gmail com>
    Sent: 23/07/05 6:10:36 AM
    To: "focus-ids () securityfocus com" <focus-ids () securityfocus com>
    Subject: Re: Firewalls (was Re: IDS evaluations procedures)

    Agreed on all the above points. Without going too far off topic, this
    leads me to another area that has been troubling me. One of the key
    aims of security vendors over the last few years has been minimising
    the importance of security experts (i.e. experienced human beings) in
    the process of attack mitigation, remediation and defence.

    I think this has a lot to do with the complexity of selling services
    and would be interested in hearing from people out there who have had
    success in the managed IDS space.

    One of the reasons that the reputation of IDS suffered (and maybe why
    S&M (sales & marketing) had to pep things up with the P) is because
    IDS was delivered to enterprises as a box-drop with no real bedding-in
    and tuning and have therefore generated too many false
    positives/negatives & noise. So what has happened is that the less
    consultative companies out there have minimised the perceived value of
    what Richard accurately describes as "an important part of the
    security arsenal."

    We have been offering expert network intelligence services (similar to
    managed NIDS services, but not restricted to security) for about 9
    months now and are constantly having to convince people that being
    able to speak to an expert is infinitely better than trusting a
    machine. My point is that S&M are doing their best to minimise
    perception of the value of the talented and dedicated people who
    continue to improve detection and mitigation capabilities.

    It makes me wonder when I see so many IDS systems out there that have
    cost a lot of money mindlessly shooting alerts off to an email account
    that nobody ever reads. Or just as bad, shooting them off to a
    log/event outsourcer whose tech staff have never even met the client
    so have no idea of their policies, environment or concerns.

    I suggest we drop IPS from the nomenclature. And let's encourage the
    consultative approach...





    On 7/21/05, Richard Bejtlich <taosecurity () gmail com> wrote:
    > On 7/20/05, Nick Black <dank () qemfd net> wrote:
    > > Richard Bejtlich rigorously showed:
    > > > In fact, you could argue the IPS is a step backward from a stateful
    > > > layer 3/4 firewall in that the IPS inverts a proven security model.
    > > > Good security (implemented on most firewalls) says "allow what policy
    > > > says is authorized, deny all else."  The IPS model says "deny what
    > > > policy says is malicious, allow all else."  Marty pointed this out a
    > > > while ago and it has stayed with me.
    > >
    > > This statement seems quite too general -- who is to define the "IPS
    > > model" as it is implemented in a wide swath of appliances? I can speak
    > > with some authority regarding our hybridized approach here at Reflex,
    > > and suggested deployment procedure: the very first activity performed on
    > > a new install is the same determination of necessary network traffic one
    > > would codify when preparing a link/network/transport-layer firewall.
    > > Signature and anomaly-based detection follows this basic {protocol X
    > > addressing}-based blacklisting (although it can also be applied to data
    > > already rejected, should a customer wish to spend resources examining
    > > such).
    > >
    > > Your issue seems to be more properly with those who configure IPS
    > > devices, and perhaps those who write misleading documentation and
    > > marketing info, than with the "IPS model".
    > >
    >
    > Hi Nick and list,
    >
    > If someone configures their layer 3/4 firewall to block, say, ports
    > 111 TCP and 445 TCP, and let everything else pass, we would agree that
    > is a poor deployment model.  People still do this, unfortunately.
    >
    > If someone configures their layer 7 firewall (aka IPS) to block
    > traffic identified by signature, anomaly, vulnerability, whatever, and
    > let everything else pass, now we're discussing the way almost everyone
    > deploys IPSs.
    >
    > I have not heard anyone defining and passing "authorized" traffic and
    > denying everything else via IPS.  In fact, a hot hardware item these
    > days are inline bypass switches to avoid inline IPSs that fail.
    > "Better to keep the traffic flowing than fail closed!" is the
    > rationale.
    >
    > I detest the term IPS, as it is a pure marketing term.  It was created
    > by companies that needed to define a new access control product niche
    > to compete against the firewall giants of the early 2000s.   (All
    > defensive measures are trying to prevent intrusions.)
    >
    > However, I am not disrespecting the technology. Anything which can
    > make smarter access control decisions is extremely helpful and an
    > important part of the security arsenal.
    >
    > Sincerely,
    >
    > Richard
    >
    > ------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it
    > with real-world attacks from CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > ------------------------------------------------------------------------
    >
    >

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------






------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: