IDS mailing list archives
RE: Firewalls (was Re: IDS evaluations procedures)
From: "Swift, David" <dswift () ipolicynetworks com>
Date: Wed, 27 Jul 2005 13:41:23 -0700
Generalities always have exceptions, but having setup security systems for more than 2 dozen companies in the past year... 1. With respect to security knowledgeable people, I believe there is a vast shortage. This translates into opportunity, and possibly rising technical salaries again (Thank God after the past few years). 2. Whether using UTM or multi-products (FW, IDS/IPS, Proxies, Content scrubbers...), the knowledge level needed to manage the devices is still high. UTMs make it a bit easier to do a bit more, and frequently have better correlation and cross over between functions (i.e. ability to harden firewall if ProjectR3X attacks are detected). It may also mean a GUI instead of multiple CLI's to learn, and built-in context sensitive help instead of assumed knowledge. The artificial intelligence postulate put out in a recent response speaks to the need to codify what is now essentially an arcane art. Until AI/correlation engines for security grow a great deal, security expertise is going to be in high demand. I've been in networking for 15 years and accumulated more than 18 certifications including my CISSP, and on any given day the number of threats, potential vectors, and possible combinations of products (Gartner has identified over 700 manufacturers in security), are daunting, and I can only scratch the surface. I try to tread water technically, but...keeping up...nice dream, still trying. Getting ahead...don't have the time or money. And like the supposed general in American history, I'm too busy shooting at enemies, with my six shooter and putting out fires to listen to the Machine Gun salesman's speech. Customers fall into two categories: 1. Self educated / Been There Done That They've usually tried multiple products, learned arcane Command Line Interfaces (CLI), from multiple vendors, and tried Snort, or some other IDS. And of course many of the early IDS problems burned a lot of people (too many alerts, no correlation, no way to act on the problems except PATCH PATCH PATCH). Some are past the time when a UTM makes sense. The investment into existing technologies may be too high. UTM's still work in these environments if a product does something they may need but haven't put in place yet (i.e. URL/Content Filtering). Other features may get turned on later, or only partially implemented because they've already put in a product to deal with another function. In some of these environments I install as IPS only, but then new firewall rules are implemented on my system due to ease of use and reporting. Common correlated reports (multiple firewalls, and IDS sensors), are another reason for UTMs. Most of the folks in this forum appear to be in the BTDTandBeenBurned group. 2. Struggling / What's after firewalls? Many folks out there have been running firewalls, and possibly an IDS engine, but have heard there are all kinds of ways to attack through a firewall, and are tired of IDS reports that go on for 100 or more pages. To much data, no actionable information, and no way to block (IPS), even if they can turn those hundreds of pages of data into correlated information. In the case of firewall only customers, IPS is the big requested feature. IDS gives visibility to data that they may not have been able to capture before (Small Telco's who now serve IP are frequently elated to just be able to see what's really going on), and thankfully with IPS ways to block some of the worst nasties (worms, kiddie scripters, DoS/DDoS, known OS/App vulnerabilities). The constant challenge is the number of threat vectors and vulnerabilities increases everyday, and no one does (marketing aside), it all. Eventually I believe much of it will be codified, unified, and productized. It should parallel virus protection. In the 80's there were only a few, now McAffee has over 110,000 in the signature database. In the 90's I'd get infected machines I'd have to clean or re-image weekly, now with good desktop AV software (many are not kept up to date, but...), I don't have to clean/rebuild many machines due to virus caused problems. I've managed a variety of networks and used point solutions. Personally, I like Unified Solutions (and I work for a unified solutions vendor), but I'm always pressing my company to add MORE. We do FW, URL, IDS/IPS, and will be adding AV. But of course I push for correlation, and event escalation (tagging sources to a higher threat level when innocuous IDS events are seen, if further types of actions are seen), and forensics (don't just tell me the IP and IDS type, even if it's blocked, Tell me WHO is at the other end of that pipe (reverse DNS, auto-WHOIS, ARP caches if available...). Sorry for the long winded rambling reply. Large topic. -----Original Message----- From: Fergus Brooks [mailto:fergwa () gmail com] Sent: Monday, July 25, 2005 8:04 PM To: Ha, Jason Cc: focus-ids () securityfocus com Subject: Re: Firewalls (was Re: IDS evaluations procedures) Thanks for your comments Jason. So does this lead us to the opinion that "...organisations that can't afford or don't feel the need for security experts..." should be the ones using the UTM appliances mentioned above and that organisations with the resources and a solid belief in effective security should either employ security experts who decide which tools they need to do the job or outsource to dedicated manged security providers? I suggest that any organisation who fits into this category should employ a layered approach that includes, at least, dual-skinned perimeter firewalls (packet filter and proxy,) bastion front-end hosts, intrusion detection systems, mitigation systems (or methods in the case of using existing devices like routers & firewalls) and some kind of protocol and network behavioural anomaly detection to profile zero-hour attacks and also see the 90%-plus network impacting events that aren't security related. I won't even bother covering anti-virus or content filtering. Then it is time to add a SIM app like MARS to reduce console shock and provide for correlation and aggregation of the myriad number of alerts and reports. Without flogging a dead horse my point is that vendors suggesting to large enterprise clients that they have a mechanical silver bullet are minimising the value that professional consultants bring to holding this very necessary framework together. No machine can compete with the intuitive and experienced problem-solving processes of a properly trained and resourced human. Do we want the security of our money, cities, credit card debt (oh don't know how that last one slipped in there...) protected by anything else? Outsourced security providers add a layer of independence and expertise to this approach, be it for one set of tools or everything. Security professionals should be encouraging clients to resource their staff adequately or outsource. The vendors should be increasing the value of their products by training the channel (not an easy thing to do when they don't want to get trained!) and insisting that initial & ongoing services are bundled with the product to ensure effective implementation and integration. What is wrong with the concept of selling quarterly health checks with the box/software? Adds value to the overall deal, provides for repeat revenue, and improves the reputation and competitive stature of the reseller. If it was me who had spent 30-odd grand on a couple of perimeter IDS' that send alerts to an email account nobody checks I would be a very hard person to sell anything with "Intrusion" in the name... On 7/26/05, Ha, Jason <JHa () verisign com au> wrote:
Hi Fergus, "here here!" to your mentioned points. There definitely has been a
push from many of the large vendors for fully automated solutions with minimal human interaction (Cisco's self-defending network model comes to mind). I'm not sure if their intent is to replace security experts, but I'm hazarding a guess that it's aimed at organisations that can't afford or don't feel the need for security experts.
Being someone who also has a good chunk of experience with managed
IDS, it certainly isn't possible to have an effective solution without both the technology and the personal expertise. IDS solutions without the consultive expertise often sit there unused, and no matter how much of a security guru you are, attempting to monitor intrusions manually without an IDS would be somewhat laborious.
An IDS provides visibility, but that visibility has no meaning if it's
not seen by anyone, and those who do see it, don't understand it.
Regards, Jason -----Original Message----- From: "Fergus Brooks" <fergwa () gmail com> Sent: 23/07/05 6:10:36 AM To: "focus-ids () securityfocus com" <focus-ids () securityfocus com> Subject: Re: Firewalls (was Re: IDS evaluations procedures) Agreed on all the above points. Without going too far off topic,
this
leads me to another area that has been troubling me. One of the
key
aims of security vendors over the last few years has been
minimising
the importance of security experts (i.e. experienced human beings)
in
the process of attack mitigation, remediation and defence. I think this has a lot to do with the complexity of selling
services
and would be interested in hearing from people out there who have
had
success in the managed IDS space. One of the reasons that the reputation of IDS suffered (and maybe
why
S&M (sales & marketing) had to pep things up with the P) is
because
IDS was delivered to enterprises as a box-drop with no real
bedding-in
and tuning and have therefore generated too many false positives/negatives & noise. So what has happened is that the less consultative companies out there have minimised the perceived
value of
what Richard accurately describes as "an important part of the security arsenal." We have been offering expert network intelligence services
(similar to
managed NIDS services, but not restricted to security) for about 9 months now and are constantly having to convince people that being able to speak to an expert is infinitely better than trusting a machine. My point is that S&M are doing their best to minimise perception of the value of the talented and dedicated people who continue to improve detection and mitigation capabilities. It makes me wonder when I see so many IDS systems out there that
have
cost a lot of money mindlessly shooting alerts off to an email
account
that nobody ever reads. Or just as bad, shooting them off to a log/event outsourcer whose tech staff have never even met the
client
so have no idea of their policies, environment or concerns. I suggest we drop IPS from the nomenclature. And let's encourage
the
consultative approach...
Previous History snipped. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Firewalls (was Re: IDS evaluations procedures), (continued)
- Re: Firewalls (was Re: IDS evaluations procedures) Sanjay Rawat (Jul 26)
- Re: Firewalls (was Re: IDS evaluations procedures) Martin Roesch (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Jason (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Stefano Zanero (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 25)
- RE: [Bulk] Re: Firewalls (was Re: IDS evaluations procedures) Bill Royds (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Omar Herrera (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 26)
- Re: Firewalls (was Re: IDS evaluations procedures) Sanjay Rawat (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 27)
- RE: Firewalls (was Re: IDS evaluations procedures) Ha, Jason (Jul 27)