RE: Firewalls (was Re: IDS evaluations procedures)

["Swift, David" <dswift () ipolicynetworks com>]

Generalities always have exceptions, but having setup security systems
for more than 2 dozen companies in the past year...

1. With respect to security knowledgeable people, I believe there is a
vast shortage. This translates into opportunity, and possibly rising
technical salaries again (Thank God after the past few years).

2. Whether using UTM or multi-products (FW, IDS/IPS, Proxies, Content
scrubbers...), the knowledge level needed to manage the devices is still
high. 

UTMs make it a bit easier to do a bit more, and frequently have better
correlation and cross over between functions (i.e. ability to harden
firewall if ProjectR3X attacks are detected). It may also mean a GUI
instead of multiple CLI's to learn, and built-in context sensitive help
instead of assumed knowledge.

The artificial intelligence postulate put out in a recent response
speaks to the need to codify what is now essentially an arcane art.
Until AI/correlation engines for security grow a great deal, security
expertise is going to be in high demand.

I've been in networking for 15 years and accumulated more than 18
certifications including my CISSP, and on any given day the number of
threats, potential vectors, and possible combinations of products
(Gartner has identified over 700 manufacturers in security), are
daunting, and I can only scratch the surface. I try to tread water
technically, but...keeping up...nice dream, still trying. Getting
ahead...don't have the time or money.

And like the supposed general in American history, I'm too busy shooting
at enemies, with my six shooter and putting out fires to listen to the
Machine Gun salesman's speech.

Customers fall into two categories:
1. Self educated / Been There Done That
        They've usually tried multiple products, learned arcane Command
Line Interfaces (CLI), from multiple vendors, and tried Snort, or some
other IDS.
And of course many of the early IDS problems burned a lot of people (too
many alerts, no correlation, no way to act on the problems except PATCH
PATCH PATCH). Some are past the time when a UTM makes sense. The
investment into existing technologies may be too high. UTM's still work
in these environments if a product does something they may need but
haven't put in place yet (i.e. URL/Content Filtering). Other features
may get turned on later, or only partially implemented because they've
already put in a product to deal with another function. In some of these
environments I install as IPS only, but then new firewall rules are
implemented on my system due to ease of use and reporting. Common
correlated reports (multiple firewalls, and IDS sensors), are another
reason for UTMs.

Most of the folks in this forum appear to be in the BTDTandBeenBurned
group.

2. Struggling / What's after firewalls?
Many folks out there have been running firewalls, and possibly an IDS
engine, but have heard there are all kinds of ways to attack through a
firewall, and are tired of IDS reports that go on for 100 or more pages.
To much data, no actionable information, and no way to block (IPS), even
if they can turn those hundreds of pages of data into correlated
information.

In the case of firewall only customers, IPS is the big requested
feature. IDS gives visibility to data that they may not have been able
to capture before (Small Telco's who now serve IP are frequently elated
to just be able to see what's really going on), and thankfully with IPS
ways to block some of the worst nasties (worms, kiddie scripters,
DoS/DDoS, known OS/App vulnerabilities).

The constant challenge is the number of threat vectors and
vulnerabilities increases everyday, and no one does (marketing aside),
it all.

Eventually I believe much of it will be codified, unified, and
productized. 
It should parallel virus protection. In the 80's there were only a few,
now McAffee has over 110,000 in the signature database. In the 90's I'd
get infected machines I'd have to clean or re-image weekly, now with
good desktop AV software (many are not kept up to date, but...), I don't
have to clean/rebuild many machines due to virus caused problems.

I've managed a variety of networks and used point solutions. 

Personally, I like Unified Solutions (and I work for a unified solutions
vendor), but I'm always pressing my company to add MORE. We do FW, URL,
IDS/IPS, and will be adding AV. But of course I push for correlation,
and event escalation (tagging sources to a higher threat level when
innocuous IDS events are seen, if further types of actions are seen),
and forensics (don't just tell me the IP and IDS type, even if it's
blocked, Tell me WHO is at the other end of that pipe (reverse DNS,
auto-WHOIS, ARP caches if available...).

Sorry for the long winded rambling reply. Large topic.
 
-----Original Message-----
From: Fergus Brooks [mailto:fergwa () gmail com] 
Sent: Monday, July 25, 2005 8:04 PM
To: Ha, Jason
Cc: focus-ids () securityfocus com
Subject: Re: Firewalls (was Re: IDS evaluations procedures)

Thanks for your comments Jason. 

So does this lead us to the opinion that "...organisations that can't
afford or don't feel the need for security experts..." should be the
ones using the UTM appliances mentioned above and that organisations
with the resources and a solid belief in effective security should
either employ security experts who decide which tools they need to do
the job or outsource to dedicated manged security providers?

I suggest that any organisation who fits into this category should
employ a layered approach that includes, at least, dual-skinned
perimeter firewalls (packet filter and proxy,) bastion front-end
hosts, intrusion detection systems, mitigation systems (or methods in
the case of using existing devices like routers & firewalls) and some
kind of protocol and network behavioural anomaly detection to profile
zero-hour attacks and also see the 90%-plus network impacting events
that aren't security related.

I won't even bother covering anti-virus or content filtering. Then it
is time to add a SIM app like MARS to reduce console shock and provide
for correlation and aggregation of the myriad number of alerts and
reports.

Without flogging a dead horse my point is that vendors suggesting to
large enterprise clients that they have a mechanical silver bullet are
minimising the value that professional consultants bring to holding
this very necessary framework together. No machine can compete with
the intuitive and experienced problem-solving processes of a properly
trained and resourced human. Do we want the security of our money,
cities, credit card debt (oh don't know how that last one slipped in
there...) protected by anything else?

Outsourced security providers add a layer of independence and
expertise to this approach, be it for one set of tools or everything.
Security professionals should be encouraging clients to resource their
staff adequately or outsource. The vendors should be increasing the
value of their products by training the channel (not an easy thing to
do when they don't want to get trained!) and insisting that initial &
ongoing services are bundled with the product to ensure effective
implementation and integration. What is wrong with the concept of
selling quarterly health checks with the box/software? Adds value to
the overall deal, provides for repeat revenue, and improves the
reputation and competitive stature of the reseller.

If it was me who had spent 30-odd grand on a couple of perimeter IDS'
that send alerts to an email account nobody checks I would be a very
hard person to sell anything with "Intrusion" in the name...


On 7/26/05, Ha, Jason <JHa () verisign com au> wrote:
> Hi Fergus,
>
> "here here!" to your mentioned points. There definitely has been a
push from many of the large vendors for fully automated solutions with
minimal human interaction (Cisco's self-defending network model comes to
mind). I'm not sure if their intent is to replace security experts, but
I'm hazarding a guess that it's aimed at organisations that can't afford
or don't feel the need for security experts.
> Being someone who also has a good chunk of experience with managed
IDS, it certainly isn't possible to have an effective solution without
both the technology and the personal expertise. IDS solutions without
the consultive expertise often sit there unused, and no matter how much
of a security guru you are, attempting to monitor intrusions manually
without an IDS would be somewhat laborious.
> An IDS provides visibility, but that visibility has no meaning if it's
not seen by anyone, and those who do see it, don't understand it.
> Regards,
>
> Jason
>
> -----Original Message-----
>     From: "Fergus Brooks" <fergwa () gmail com>
>     Sent: 23/07/05 6:10:36 AM
>     To: "focus-ids () securityfocus com" <focus-ids () securityfocus com>
>     Subject: Re: Firewalls (was Re: IDS evaluations procedures)
>
>     Agreed on all the above points. Without going too far off topic,
this
>     leads me to another area that has been troubling me. One of the
key
>     aims of security vendors over the last few years has been
minimising
>     the importance of security experts (i.e. experienced human beings)
in
>     the process of attack mitigation, remediation and defence.
>
>     I think this has a lot to do with the complexity of selling
services
>     and would be interested in hearing from people out there who have
had
>     success in the managed IDS space.
>
>     One of the reasons that the reputation of IDS suffered (and maybe
why
>     S&M (sales & marketing) had to pep things up with the P) is
because
>     IDS was delivered to enterprises as a box-drop with no real
bedding-in
>     and tuning and have therefore generated too many false
>     positives/negatives & noise. So what has happened is that the less
>     consultative companies out there have minimised the perceived
value of
>     what Richard accurately describes as "an important part of the
>     security arsenal."
>
>     We have been offering expert network intelligence services
(similar to
>     managed NIDS services, but not restricted to security) for about 9
>     months now and are constantly having to convince people that being
>     able to speak to an expert is infinitely better than trusting a
>     machine. My point is that S&M are doing their best to minimise
>     perception of the value of the talented and dedicated people who
>     continue to improve detection and mitigation capabilities.
>
>     It makes me wonder when I see so many IDS systems out there that
have
>     cost a lot of money mindlessly shooting alerts off to an email
account
>     that nobody ever reads. Or just as bad, shooting them off to a
>     log/event outsourcer whose tech staff have never even met the
client
>     so have no idea of their policies, environment or concerns.
>
>     I suggest we drop IPS from the nomenclature. And let's encourage
the
>     consultative approach...

Previous History snipped. 


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------