IDS mailing list archives
RE: NADS ( was RE: IPS comparison)
From: "Joseph Hamm" <jhamm () lancope com>
Date: Thu, 1 Sep 2005 21:59:59 -0400
This completly rules out host-based IPS or any other endpoint security mechanism, which IMHO is sub-optimal for any serious security infrastruture innitiative.
I definitely see the value of host-based agents, however, they have their own challenges. Cost of deployment on every host, difficulty to manage and update, introduction of another attack vector (blackice incident). I should have included this technology though. Sorry for the omission.
I guess at this stage the post starts to diverge towards a pitch for NADS as the true "magic bullet" that you mention being attributed to IPS these days.
LOL! Ooops! Didn't mean for it to come across that way, I'm just passionate about the technology. No "magic bullet" here....just a technology that fills a lot of security gaps.
To generalize further I would say that a NADS will not detect any attack that does not differ significantly from what it >perceives as normal (be it learned or predefined behavior) and in particular it will be crippled when coping with covert >channels.
This assumes that the only method of detection is variation from a baseline which is only a small part of the system. Covert channels are easily detected. Think about application verification and changes in entropy.
In any case, my point is that NADS as any other specific security technology is faulty and can be fooled rather easily, >only a well-thought combination of existing technologies can provide effective security. Such combination should be thought of as the necessary to complement individual technologies and cover each other's weaks spots at an optimum cost >for given level of risk that you are willing to accept. I realize that this is a quite generic statement but I am willing to elaborate on it if its of interest to the list orout-of-band if its not.
Right, all security tools can be fooled given enough determination, time, and money. I agree that a combination of products is ideal. Joe Hamm, CISSP Senior Security Engineer Lancope, Inc. jhamm () lancope com 404.644.7227 (cell) 770.225.6509 (fax) Lancope - Security through Network Intelligence(tm) StealthWatch(tm) by Lancope, a next-generation network security solution, delivers behavior-based intrusion detection, policy enforcement and insightful network analysis. Visit www.lancope.com. -----Original Message----- From: Iván Arce [mailto:ivan.arce () coresecurity com] Sent: Wednesday, August 31, 2005 3:48 PM To: Focus-Ids Mailing List Subject: Re: NADS ( was RE: IPS comparison) Joseph Hamm wrote:
Hassan, You make some good points, but I'd like the opportunity to clear up a few things about my NADS:IMHO comparing pure play behavior detection to IPS is like comparingapples and oranges.
Not necesarrily. Technology-wise it is indeed, but to the end users (your and other vendor's customers I presume) it may be quite relevant. I assume that they want to solve their security problems and they are not necesarilly stuck on any given technology for doing so.
I couldn't agree more. I spoke up because Stefano brought up the topic of anomaly detection. One thing that does bother me is how IPS has been painted as a "magic bullet" by vendors (and even the press). IPS works great at the perimeter or other "choke points" in the network. However, in speaking with customers, it is too costly to deploy in a scenario that can give you adequate network visibility or proper blocking capabilities inside your organization. It should remain a perimeter solution, placed in a strategic location to protect key assets (example would be a group of critical servers), or perhaps one day merged into your network infrastructure (perhaps the future as painted by Tippingpoint and 3com).
This completly rules out host-based IPS or any other endpoint security mechanism, which IMHO is sub-optimal for any serious security infrastruture innitiative. Regarding deployment of network devices that implement security controls (firewalls, NIDS, NIPS, content-filters/proxies,etc) my thinking is that they can't see want a network device can't see: What is going on at the OS/application level on the servers and workstations. Hence any security solution based solely on network appliances is partial and incomplete.
exported from your routers/switches). You essential turn all of your routers and switches into security probes so you don't have to deploy (purchase and maintain) a box everywhere you want coverage. Many folks
Although this may sound compelling from a budgetary point of view it is also dangerous. That does not mean you should not do it, only that one should understand the risks of such strategy, its weaknesses and benefits. What you are doing, basically, is to turn some asset that was not designed to be a security device into a key component of your security infrastructure. This is reminecest of the long gone but never quite dead VLAN-as--an-effective-security-compartmentalization and NAT-as--an-effective-security-mechanism discussions that are periodically reborn.
On the other hand, NADS can have full network visibility, understand what is normal activity for hosts, alarm the administrator, and even
That is a far reaching statement that I thought no one would make these days. I guess at this stage the post starts to diverge towards a pitch for NADS as the true "magic bullet" that you mention being attributed to IPS these days. I posit here that a NADS (or NIPS) can not *understand* what is going on at the host level, what is running or what and why exactly it is generating the network traffic the NADS picks up. It can observe the network traffic of hosts as if they were little more than black boxes and apply those observations to a given -predefined- model (in the case of pure NADS), to a set of predefined triggers (in the case of pure signature-matching NIDS) or a combination of both (likely most of current commercial solutions)
... A great example of this would be saving the administrator the time of sorting through 1000 RPC buffer overflow alarms generated by his IDS because his servers were not vulnerable and experienced no behavioral change after the attack. However, the administrator would be presented the one RPC buffer overflow that correlated to a host that went outside
There are other, simpler and cheaper ways to do this that do not imply deploying NADS or NIDS. I will not elaborate on them because it would look like an ad for our own stuff :)
of its normal behavior and started scanning other hosts, connected to a remote server on some random port, etc.
In your example this would be true in as much as the NADS can actually see the compromised host generating traffic to other hosts in the internal network and as far as that traffic is significantly different from the "normal" traffic and/or the NADS perception of what is normal does not change. A large number of attacks (and specially internal attacks) can be easily obscured to prevent this. To generalize further I would say that a NADS will not detect any attack that does not differ significantly from what it perceives as normal (be it learned or predefined behavior) and in particular it will be crippled when coping with covert channels.
considered somewhat like a signature. For example, I don't have to have a baseline of a host to know that aggressive scanning on port 445 is bad, port 80 traffic that is not valid http is bad, etc.
Yes, but valid http traffic (I assume this to mean "well-formed" as you can't tell what is really valid and what not if you dont know the application-layer logic that generates the http traffic) is not necesarilly good either. What about non-agressive scanning of port 445? In any case, my point is that NADS as any other specific security technology is faulty and can be fooled rather easily, only a well-thought combination of existing technologies can provide effective security. Such combination should be thought of as the necesasry to complement individual technologies and cover each other's weaks spots at an optimum cost for given level of risk that you are willing to accept. I realize that this is a quite generic statement but I am willing to elaborate on it if its of interest to the list or out-of-band if its not. -ivan --- To strive, to seek, to find, and not to yield. - Alfred, Lord Tennyson Ulysses,1842 Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 ivan.arce () coresecurity com www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: NADS ( was RE: IPS comparison) Sanjay Rawat (Sep 01)
- <Possible follow-ups>
- RE: NADS ( was RE: IPS comparison) Joseph Hamm (Sep 02)
- Re: NADS ( was RE: IPS comparison) Iván Arce (Sep 02)