IDS mailing list archives

Re: Useful NADS


From: Adam Powers <apowers () lancope com>
Date: Wed, 31 Aug 2005 23:52:47 -0400

Quick observation: Placing detection capabilities aside, one of the core
capabilities flow-based anomaly detection system provides is network
insight. They tend to specialize in slicing and dicing information about how
hosts are behaving and what they are doing. The ability to see many places
in the network at once (via NetFlow or sFlow) enables a unique observational
quality not found in other security technologies.

The value of the contextual information provided by a NADS has been
overlooked by most everyone participating in this thread. You have to see
it, work with it, and deploy it to truly appreciate the power.

More inline...


On 8/31/05 5:45 PM, "Andrew Plato" <andrew.plato () anitian com> wrote:

Honestly, I have never found "network anomaly detection (NADS)" to be a
tremendously valuable technology for most organizations. It is
definitely not a strong zero-day detector, although with the stars
aligned I am sure it could be.

What NADS technologies have you deployed and when? A statement like this
implies that you've worked with all the NADS technologies available (and
recently at that given the vast improvements made in the last 12 months by
most). If your answer is "I've seen Arbor (or Mazu or whatever) in action"
then my answer is "Arbor and Mazu are no StealthWatch".


If networks were built and managed to exact specifications, I could
understand how network anomaly detection has merit. But in the hundreds
of networks I have seen, very few of them are very clean. Most of them
are filthy with a constant onslaught of "anomalies.'

You give the example of a DNS server suddenly firing up and sending out
requests. For every potential bad thing that could indicate, there are
at least as many normal, acceptable and totally legitimate reasons such
an event would happen. Thus when a NADS fires off an alert about this
(or blocks it), there are just as many reasons to ignore it as there are
to pay attention to it. As such, the IT admins are likely going to turn
off that detection as soon as they get a dozen or so false positives.
Whatever benefit that feature had, is then irrelevant.

Not sure you read my post carefully. The example describes a scenario in
which the NADS *would not* alarm on the DNS traffic burst.

StealthWatch overcomes the "deluge of events" problem using a series of
indices designed to rate various types of activities based on a point system
that ranges from 0 to unbounded. As "strange" flow behaviors are recognized,
points are added to the various indices.

The NADS administrator is presented with a list of hosts ordered from
greatest to least based on the current value of the index.

Current supported indices include:

Concern Index: Designed to rate attack traffic such as scanning,
fragmentation anomalies, flooding of various types, aborted connections,
etc. The more "bad stuff" seen for a given host the faster and higher the
Concern Index climbs. In the case of the DNS example, the ICMP
PORT_UNREACHABLES would *not* cause Concern Index points to accumulate due
to the fact the StealthWatch engine knows to expect PORT_UNREACHABLES
clients back to the DNS server.

File Sharing Index: Measures behaviors associated with PTP overlays and
general file sharing among Internet hosts and internal corporate resources.

Target Index: Similar to the Concern Index with the exception that points
are assigned to the victim vs. the attacker. Useful for prioritizing those
hosts that seem to be under attack. Random source IPs performing a DDoS
against a single victim will cause the victim's Target Index to climb.

Application Verification Index: Based on inspection of port number vs. the
actual contents of the payload seen. Running SSH over port 80 will cause
application verification to fail, resulting in an increase in the
Application Verification Index for the host.

An index-based approach allows for prioritization of those behaviors that
are most important to those that are least. The admin doesn't need to turn
off the alarm, just raise or lower the index threshold based on their
organization's tolerance for the behavior observed.


One thing I have learned in my travels installing IPS/IDS for 6+ years
now is that 95% of the admins out there pay very little attention to the
deluge of data that comes from IPS/IDS technologies. Its just too much
data. Its too hard to separate the wheat from the chaff. As such, most
adopt the attitude of "stop bad, allow good, log the rest." And
therefore, tons of "might be" events are just going to get ignored.

This is the focus of an index-based approach to separating "wheat from
chaff". Instead of raising hundreds of micro-events, an index is used to
roll up many correlated anomaly events into a single easy-to-use /
easy-to-diagnose number.


Moreover, baselining these networks is also rarely useful. Baselining
only works if your network actually stays within its baseline fairly
regularly. Of the networks I've seen, most would routinely break their
own baselines. Moreover, its very easy for "bad stuff" to stay within
the baseline, especially if the baseline has been tweaked and tuned to
the point of irrelevance in order to stop the deluge of events.

Baselining is but one aspect of a flow-based anomaly detection system. Some
areas of a network benefit greatly from baselining, other don't. Can't speak
for the other guys, but StealthWatch doesn't need a baseline to operate.


So, while there may be a place for NADS, it would have to be intermixed
with traditional IPS signature matching to be really effective and
useful. And if the biggest plus of your product is just NADS, then the
IPS is probably just tacked on to be competitive in the market. As such,
organizations would be better off getting an a top of the line IPS, not
a NADS that happens to have an IPS thrown in.

IPSs simply can't be deployed everywhere. How many organizations have you
seen in which an IPS is placed at every location in which a Cisco router
exists? NADS deployed with NetFlow gives the IT admin the ability to
virtually inspect traffic at MANY locations throughout the network at once
without the need for expensive inline hardware.

NADS is completely complementary to existing IPS technologies. They operate
in very different ways and solve a different kind of problem.

-AP


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------


Current thread: