Re: Notes from CISSP class with Dr. Eric Cole

[Garth Somerville <therealgarth () yahoo com>]

--- Saqib Ali <docbook.xml () gmail com> wrote:

> .... The notes are available at:
> http://www.xml-dev.com/blog/?action=viewtopic&id=150

Hello Saqib:

Thanks for posting your notes, I think they are well
done and quite useful.  However, I would like to
clarify the IDS notes a bit.

Under "IDS Events Defined," you make a great
observation about IDS, but classifying all traffic as
either "Attack Traffic" or "Normal Traffic" can be
misleading as it relates to the next section, "IDS
Methods of Operation."  Not all abnormal traffic
represents an attack, and not all normal traffic
represents authorized activity.  Also, positioning
anomaly detection as being both default deny and more
secure could be misleading.

Detection systems are usually classified as either
anomaly based or policy based.  Anomaly based systems
classify traffic as either being normal or abnormal
and operate on the assumption that what is abnormal is
likely to be malicious or unauthorized.  This is
sometimes true but frequently false.  Since these
systems do not directly test for either authorized or
unauthorized traffic, it is not clear that there is
any advantage to thinking of them in terms of being
default-deny or default-allow models (in any case you
could argue it either way).

On the other hand, policy based systems are either
misuse detection systems (default allow) or
specification based systems (default deny). 
Furthermore, misuse systems can be either state driven
or stateless.  So it is quite possible to have a
"pattern matching" IDS that uses a default deny model
by matching traffic against rules that describe
allowable activity.  This seems to contradict the
classification in your notes.

Anomaly and policy based systems each have advantages
and disadvantages.  A misuse system like snort can
detect known exploits regardless of whether the
traffic would appear normal or abnormal by some
measure, it is likely to generate fewer false
positives, and the alerts generated provide precise
information about what is claimed to have been
detected.

An advantage of anomaly based systems is their
potential to detect 0-day exploits or other
unauthorized activity not previously identified (or
codified) as such, and they do not require constant
updating of signatures or rules.  On the other hand,
they may tend to generate more false positives and
their alerts will generally require deeper
investigation to understand if what has been detected
represents unauthorized or simply unusual activity.

The reason I think this is worth bringing up on this
list is that it is often overlooked that all of these
ideas can, and have been applied at both the
application level and the level of authenticated
users.  That is why I emphasize "unauthorized traffic"
over "attack traffic" because not all unauthorized
activity consists of exploits of vulnerabilities in
the "hacker" sense, and the same techniques can be
applied to detecting AUP violations, fraud, and misuse
conducted via applications.

Cheers,
-Garth Somerville


                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com