RE: NADS ( was RE: IPS comparison)

["Joseph Hamm" <jhamm () lancope com>]

> This completly rules out host-based IPS or any other endpoint security mechanism, which IMHO is sub-optimal for any
> serious security infrastruture innitiative.
 
I definitely see the value of host-based agents, however, they have their own challenges.  Cost of deployment on every 
host, difficulty to manage and update, introduction of another attack vector (blackice incident).  I should have 
included this technology though.  Sorry for the omission.

> I guess at this stage the post starts to diverge towards a pitch for NADS as the true "magic bullet" that you mention
> being attributed to IPS these days.

LOL! Ooops!  Didn't mean for it to come across that way, I'm just passionate about the technology. No "magic bullet" 
here....just a technology that fills a lot of security gaps.

> To generalize further I would say that a NADS will not detect any attack that does not differ significantly from what 
> it >perceives as normal (be it learned or predefined behavior) and in particular it will be crippled when coping with 
> covert >channels.

This assumes that the only method of detection is variation from a baseline which is only a small part of the system.  
Covert channels are easily detected.  Think about application verification and changes in entropy.

> In any case, my point is that NADS as any other specific security technology is faulty and can be fooled rather 
> easily, >only a well-thought combination of existing technologies can provide effective security. Such combination 
> should be
> thought of as the necessary to complement individual technologies and cover each other's weaks spots at an optimum 
> cost >for given level of risk that you are willing to accept.
> I realize that this is a quite generic statement but I am willing to elaborate on it if its of interest to the list or 
> > out-of-band if its not.

Right, all security tools can be fooled given enough determination, time, and money.  I agree that a combination of 
products is ideal.  



Joe Hamm, CISSP
Senior Security Engineer
Lancope, Inc.
jhamm () lancope com
404.644.7227  (cell)
770.225.6509   (fax)

Lancope - Security through Network Intelligence(tm)
StealthWatch(tm) by Lancope, a next-generation network security solution, delivers behavior-based intrusion detection, 
policy enforcement and insightful network analysis.  Visit www.lancope.com.


-----Original Message-----
From: Iván Arce [mailto:ivan.arce () coresecurity com] 
Sent: Wednesday, August 31, 2005 3:48 PM
To: Focus-Ids Mailing List
Subject: Re: NADS ( was RE: IPS comparison)



Joseph Hamm wrote:
> Hassan,
>
> You make some good points, but I'd like the opportunity to clear up a 
> few things about my NADS:
>
>
> > IMHO comparing pure play behavior detection to IPS is like comparing
>
> apples and oranges. 

Not necesarrily. Technology-wise it is indeed, but to the end users (your and other vendor's  customers I presume) it 
may be quite relevant.
I assume that they want to solve their security problems and they are not necesarilly stuck on any given technology for 
doing so.

> I couldn't agree more.  I spoke up because Stefano brought up the 
> topic of anomaly detection. One thing that does bother me is how IPS 
> has been painted as a "magic bullet" by vendors (and even the press).  
> IPS works great at the perimeter or other "choke points" in the 
> network.  However, in speaking with customers, it is too costly to 
> deploy in a scenario that can give you adequate network visibility or 
> proper blocking capabilities inside your organization.  It should 
> remain a perimeter solution, placed in a strategic location to protect 
> key assets (example would be a group of critical servers), or perhaps 
> one day merged into your network infrastructure (perhaps the future as 
> painted by Tippingpoint and 3com).

This completly rules out host-based IPS or any other endpoint security mechanism, which IMHO is sub-optimal for any 
serious security infrastruture innitiative.

Regarding deployment of network devices that implement security controls (firewalls, NIDS, NIPS, 
content-filters/proxies,etc) my thinking is that they can't see want a network device can't see: What is going on at 
the OS/application level on the servers and workstations.
Hence any security solution based solely on network appliances is partial and incomplete.

> exported from your routers/switches).  You essential turn all of your 
> routers and switches into security probes so you don't have to deploy
> (purchase and maintain) a box everywhere you want coverage.   Many folks

Although this may sound compelling from a budgetary point of view it is also dangerous. That does not mean you should 
not do it, only that one should understand the risks of such strategy, its weaknesses and benefits.

What you are doing, basically, is to turn some asset that was not designed to be a security device into a key component 
of your security infrastructure. This is reminecest of the long gone but never quite dead 
VLAN-as--an-effective-security-compartmentalization and NAT-as--an-effective-security-mechanism discussions that are 
periodically reborn.

> On the other hand, NADS can have full network visibility, understand 
> what is normal activity for hosts, alarm the administrator, and even

That is a far reaching statement that I thought no one would make these days. I guess at this stage the post starts to 
diverge towards a pitch for NADS as the true "magic bullet" that you mention being attributed to IPS these days.

I posit here that a NADS (or NIPS) can not *understand* what is going on at the host level, what is running or what and 
why exactly it is generating the network traffic the NADS picks up. It can observe the network traffic of hosts as if 
they were little more than black boxes and apply those observations to a given -predefined- model (in the case of pure 
NADS), to a set of  predefined triggers (in the case of pure signature-matching NIDS) or a combination of both (likely 
most of current commercial solutions)

> ...
> A great example of this would be saving the administrator the time of 
> sorting through 1000 RPC buffer overflow alarms generated by his IDS 
> because his servers were not vulnerable and experienced no behavioral 
> change after the attack.  However, the administrator would be 
> presented the one RPC buffer overflow that correlated to a host that 
> went outside

There are other, simpler and cheaper ways to do this that do not imply deploying NADS or NIDS. I will not elaborate on 
them because it would look like an ad for our own stuff :)

> of its normal behavior and started scanning other hosts, connected to 
> a remote server on some random port, etc.

In your example this would be true in as much as the NADS can actually see the compromised host generating traffic to 
other hosts in the internal network and as far as that traffic is significantly different from the "normal" traffic 
and/or the NADS perception of what is normal does not change. A large number of attacks (and specially internal
attacks) can be easily obscured to prevent this.

To generalize further I would say that a NADS will not detect any attack that does not differ significantly from what 
it perceives as normal (be it learned or predefined behavior) and in particular it will be crippled when coping with 
covert channels.

> considered somewhat like a signature.  For example, I don't have to 
> have a baseline of a host to know that aggressive scanning on port 445 
> is bad, port 80 traffic that is not valid http is bad, etc.

Yes, but valid http traffic (I assume this to mean "well-formed" as you can't tell what is really valid and what not if 
you dont know the application-layer logic that generates the http traffic) is not necesarilly good either. What about 
non-agressive scanning of port 445?

In any case, my point is that NADS as any other specific security technology is faulty and can be fooled rather easily, 
only a well-thought combination of existing technologies can provide effective security. Such combination should be 
thought of as the necesasry to complement individual technologies and cover each other's weaks spots at an optimum cost 
for given level of risk that you are willing to accept.
I realize that this is a quite generic statement but I am willing to elaborate on it if its of interest to the list or  
out-of-band if its not.


-ivan

---
To strive, to seek, to find, and not to yield.
- Alfred, Lord Tennyson Ulysses,1842

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce () coresecurity com
www.coresecurity.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------