IDS mailing list archives
RE: Firewalls (was Re: IDS evaluations procedures)
From: "Ha, Jason" <JHa () verisign com au>
Date: Wed, 27 Jul 2005 08:57:26 +1000
Hey Fergus, I wouldn't say it's a definitive opinion, but I believe it serves as a rough guideline. A small manufacturing organisation who is having security issues, typically has only one or two IT personnel who can't afford the time to maintain their infrastructure as well as educate themselves on security, let alone apply that knowledge. Not to say there aren't some "genius" IT folk out there who can... >:) As such, devices which are simplistic and are effectively plug&pray provide some value towards handling that security knowledge/experience hole. This is opposed to a large organisation who has a dedicated team of in-house security people, as well as having a budget to invest in external security consulting knowledge. In this instance, the UTM solution may provide less value, as it often serves as a confusion point (i.e. why did the UTM pick this up when nothing else did, or why didn't the UTM pick this up when everything else did etc). But may still serve useful in some capacity. I definitely agree with your defence-in-depth approach of security. Something that I continuously try and highlight to clients is that the whole concept of security is aimed at discovering and analysing risks, and then determining what level of mitigation is required. Many of the security tools we use are aimed at either enforcing security policy to assist in mitigating risk. Others, more importantly, are used to provide visibility to determine whether the mitigation is successful or whether elements of the risks are changing. Often, the amount of information derived from all these tools is simply overwhelming and require the knowledge and experience of security experts (either internal or external) to properly analyse the results and determine whether changes need to be made to the overall risk management strategy. I thoroughly agree with your point that security experts (and people in general for that matter) are the most integral part of security. This is especially true when you think about it from a human perspective as opposed to a technical/networking perspective. The main cause of security issues is in fact "people" (either intentionally or accidentally). As a result, security education is perhaps one of the most effective security solutions. This of course, is carried out by human security experts. I'll be truly impressed the day some vendors comes up with a funky acronym device which can automatically adjust people's security mind-set. >:) Regarding MSSPs, the benefit of an outsourced security provider is that they can provide expertise immediately (i.e. as an IDS event occurs). They can then respond on behalf of the customer if it is irrelevant, or contact the customer and execute the relevant incident procedure accordingly. The benefit of outsourced security providers is also their proactiveness. i.e. "Mr customer, there has been a recent IIS vulnerability that may affect your servers and cause xxx damage." Often, the larger the organisation, the more complicated the environment and as such, the more security expertise they require. I believe an outsourced model provides an additional layer of security (a human version of your dual-skinned perimeter firewall approach >:) ) which can go a long way in assisting the organisation. I think you'll also find that, despite vendors attempting to offer an automated "it does it all" security solution, they typically have service arms (or integration partners) who add on all the services required to provision, implement, continuously tune and report on the findings of the product. The money is in the services (and the maintenance contracts I suppose >:) ) and as long as that's the case, you'll find the products will still require a large degree of human security expertise. Good discussion. Regards, Jason -----Original Message----- From: Fergus Brooks [mailto:fergwa () gmail com] Sent: Tuesday, 26 July 2005 11:04 AM To: Ha, Jason Cc: focus-ids () securityfocus com Subject: Re: Firewalls (was Re: IDS evaluations procedures) Thanks for your comments Jason. So does this lead us to the opinion that "...organisations that can't afford or don't feel the need for security experts..." should be the ones using the UTM appliances mentioned above and that organisations with the resources and a solid belief in effective security should either employ security experts who decide which tools they need to do the job or outsource to dedicated manged security providers? I suggest that any organisation who fits into this category should employ a layered approach that includes, at least, dual-skinned perimeter firewalls (packet filter and proxy,) bastion front-end hosts, intrusion detection systems, mitigation systems (or methods in the case of using existing devices like routers & firewalls) and some kind of protocol and network behavioural anomaly detection to profile zero-hour attacks and also see the 90%-plus network impacting events that aren't security related. I won't even bother covering anti-virus or content filtering. Then it is time to add a SIM app like MARS to reduce console shock and provide for correlation and aggregation of the myriad number of alerts and reports. Without flogging a dead horse my point is that vendors suggesting to large enterprise clients that they have a mechanical silver bullet are minimising the value that professional consultants bring to holding this very necessary framework together. No machine can compete with the intuitive and experienced problem-solving processes of a properly trained and resourced human. Do we want the security of our money, cities, credit card debt (oh don't know how that last one slipped in there...) protected by anything else? Outsourced security providers add a layer of independence and expertise to this approach, be it for one set of tools or everything. Security professionals should be encouraging clients to resource their staff adequately or outsource. The vendors should be increasing the value of their products by training the channel (not an easy thing to do when they don't want to get trained!) and insisting that initial & ongoing services are bundled with the product to ensure effective implementation and integration. What is wrong with the concept of selling quarterly health checks with the box/software? Adds value to the overall deal, provides for repeat revenue, and improves the reputation and competitive stature of the reseller. If it was me who had spent 30-odd grand on a couple of perimeter IDS' that send alerts to an email account nobody checks I would be a very hard person to sell anything with "Intrusion" in the name... On 7/26/05, Ha, Jason <JHa () verisign com au> wrote:
Hi Fergus, "here here!" to your mentioned points. There definitely has been a
push from many of the large vendors for fully automated solutions with minimal human interaction (Cisco's self-defending network model comes to mind). I'm not sure if their intent is to replace security experts, but I'm hazarding a guess that it's aimed at organisations that can't afford or don't feel the need for security experts.
Being someone who also has a good chunk of experience with managed
IDS, it certainly isn't possible to have an effective solution without both the technology and the personal expertise. IDS solutions without the consultive expertise often sit there unused, and no matter how much of a security guru you are, attempting to monitor intrusions manually without an IDS would be somewhat laborious.
An IDS provides visibility, but that visibility has no meaning if it's
not seen by anyone, and those who do see it, don't understand it.
Regards, Jason -----Original Message----- From: "Fergus Brooks" <fergwa () gmail com> Sent: 23/07/05 6:10:36 AM To: "focus-ids () securityfocus com" <focus-ids () securityfocus com> Subject: Re: Firewalls (was Re: IDS evaluations procedures) Agreed on all the above points. Without going too far off topic,
this
leads me to another area that has been troubling me. One of the
key
aims of security vendors over the last few years has been
minimising
the importance of security experts (i.e. experienced human beings)
in
the process of attack mitigation, remediation and defence. I think this has a lot to do with the complexity of selling
services
and would be interested in hearing from people out there who have
had
success in the managed IDS space. One of the reasons that the reputation of IDS suffered (and maybe
why
S&M (sales & marketing) had to pep things up with the P) is
because
IDS was delivered to enterprises as a box-drop with no real
bedding-in
and tuning and have therefore generated too many false positives/negatives & noise. So what has happened is that the less consultative companies out there have minimised the perceived
value of
what Richard accurately describes as "an important part of the security arsenal." We have been offering expert network intelligence services
(similar to
managed NIDS services, but not restricted to security) for about 9 months now and are constantly having to convince people that being able to speak to an expert is infinitely better than trusting a machine. My point is that S&M are doing their best to minimise perception of the value of the talented and dedicated people who continue to improve detection and mitigation capabilities. It makes me wonder when I see so many IDS systems out there that
have
cost a lot of money mindlessly shooting alerts off to an email
account
that nobody ever reads. Or just as bad, shooting them off to a log/event outsourcer whose tech staff have never even met the
client
so have no idea of their policies, environment or concerns. I suggest we drop IPS from the nomenclature. And let's encourage
the
consultative approach... On 7/21/05, Richard Bejtlich <taosecurity () gmail com> wrote: > On 7/20/05, Nick Black <dank () qemfd net> wrote: > > Richard Bejtlich rigorously showed: > > > In fact, you could argue the IPS is a step backward from a
stateful
> > > layer 3/4 firewall in that the IPS inverts a proven security
model.
> > > Good security (implemented on most firewalls) says "allow
what policy
> > > says is authorized, deny all else." The IPS model says
"deny what
> > > policy says is malicious, allow all else." Marty pointed
this out a
> > > while ago and it has stayed with me. > > > > This statement seems quite too general -- who is to define the
"IPS
> > model" as it is implemented in a wide swath of appliances? I
can speak
> > with some authority regarding our hybridized approach here at
Reflex,
> > and suggested deployment procedure: the very first activity
performed on
> > a new install is the same determination of necessary network
traffic one
> > would codify when preparing a link/network/transport-layer
firewall.
> > Signature and anomaly-based detection follows this basic
{protocol X
> > addressing}-based blacklisting (although it can also be
applied to data
> > already rejected, should a customer wish to spend resources
examining
> > such). > > > > Your issue seems to be more properly with those who configure
IPS
> > devices, and perhaps those who write misleading documentation
and
> > marketing info, than with the "IPS model". > > > > Hi Nick and list, > > If someone configures their layer 3/4 firewall to block, say,
ports
> 111 TCP and 445 TCP, and let everything else pass, we would
agree that
> is a poor deployment model. People still do this,
unfortunately.
> > If someone configures their layer 7 firewall (aka IPS) to block > traffic identified by signature, anomaly, vulnerability,
whatever, and
> let everything else pass, now we're discussing the way almost
everyone
> deploys IPSs. > > I have not heard anyone defining and passing "authorized"
traffic and
> denying everything else via IPS. In fact, a hot hardware item
these
> days are inline bypass switches to avoid inline IPSs that fail. > "Better to keep the traffic flowing than fail closed!" is the > rationale. > > I detest the term IPS, as it is a pure marketing term. It was
created
> by companies that needed to define a new access control product
niche
> to compete against the firewall giants of the early 2000s.
(All
> defensive measures are trying to prevent intrusions.) > > However, I am not disrespecting the technology. Anything which
can
> make smarter access control decisions is extremely helpful and
an
> important part of the security arsenal. > > Sincerely, > > Richard > >
------------------------------------------------------------------------
> Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more. >
------------------------------------------------------------------------
> >
------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more. ---------------------------------------------------------------------- --
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Firewalls (was Re: IDS evaluations procedures), (continued)
- Re: Firewalls (was Re: IDS evaluations procedures) Martin Roesch (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Jason (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Stefano Zanero (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 25)
- RE: [Bulk] Re: Firewalls (was Re: IDS evaluations procedures) Bill Royds (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Omar Herrera (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 26)
- Re: Firewalls (was Re: IDS evaluations procedures) Sanjay Rawat (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 27)
- RE: Firewalls (was Re: IDS evaluations procedures) Ha, Jason (Jul 27)