Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How to choose an IDS/FW MSS provider

from [David W. Goodrum] Network Security [Permanent Link]
Subject: Re: How to choose an IDS/FW MSS provider
Date: Sat, 12 Mar 2005 10:11:44 -0500
But, you're missing the point. What I'm saying is that the two technologies are merging where appropriate, and that it is a GOOD thing, even for large enterprises, not just small ones. The type of inspection that IDS devices do is totally required to STOP malicious traffic. IDS must be inline doing blocking to prevent the things that firewalls can't prevent... even in an enterprise network. Plus, just because your IDS is present in the form of IPS, doesn't mean that it's not still doing auditing also. It's not like it's all or nothing technology... you can pick and choose the types of events you want to prevent, and which ones are just audit, and good reporting let's the admin differentiate.

Plus, we see more and more people looking to deploy firewalls / IPS / Access Control devices internally. The reasons are many fold:

First, people want to be able to create quarantine zones internally (to contain an outbreak of a virus or worm internally). Traditional firewalls alone can't do this... it's got to be something doing Layer 7 inspection with IDS like detection. Traditional IDS can't do this either. Only when you combine the two philosophies can this be accomplished.

Second, people want the type of insight into the internal networks that IDS's have traditionally given them.

Third, the term "Intrusion" in "Intrusion Detection / Prevention Systems" has turned into a misnomer. For years people have looked at their IDS devices and asked it to do more. It's more like Network Security Policy Enforcement now. For example, when NFR first came out with their OS Fingerprinting years ago, we did it so that we could accurately re-assembly fragmented attacks. We did it to do Intrusion Detection better. But, what people really liked about it was that they could use that information to tune better (i.e. don't alert me on Windows attacks against Unix boxes), and later people began to realize that they could use this to detect when people were violating OS policies on their internal network. i.e. "alert me when you see Windows 98 OS's on my internal segments". This wasn't Intrusion Detection, this was OS Policy Enforcement. Then came Application Fingerprinting... originally, it was done to make tuning better (just like OS Fingerprinting in part), i.e. don't alert on IIS attacks against Apache servers. But, now it has turned into, "enforce policy on my network with regard to application servers". If it's just an IDS, it can't actually prevent people from accidentally running IIS/5.1 servers with the default XP install. It has to be inline, preventing to do that kind of policy enforcement. IDS isn't dead, but it isn't simply IDS anymore either.

IDS is a great audit tool, but when you combine that technology with blocking technologies into one device, you get a brand new technology that does more than both put together. Synergy DOES exist when you combine the two, especially when you realize that IDS is no longer just "Intrusion" detection.

-dave

Richard Bejtlich wrote:

On Fri, 11 Mar 2005 10:14:23 -0500, David W. Goodrum <dgoodrum@nfr.com> wrote:


Many IDS vendors are integrating Firewalls into their product, just like
Firewall vendors are trying to catch up on the Layer 7 analysis. Both
types of technologies are coming tgether to some degree. 


I understand that market pressures and misguided research
organizations are forcing access control and audit functions to
converge.  This is a shame.  I wrote an article called "Considering
Convergence?" that recommends keeping access control and audit
separate. [0]

Smaller organizations lacking the resources to implement defense in
depth are better off buying a single "do-it-all" appliance, if the
alternative is implementing little or no security. Larger
organizations with the resources to field multiple technologies,
follow coordinated policies, and train security staff will be more
secure with distinct firewalls and intrusion detection systems.



What I'm getting at is that Defense in Depth still applies, even though
these two technologies seem to be coming together rather quickly.



I agree. Any device making an access control decision is a firewall. This includes router ACLs, layer 3-4 "firewalls," and "IPSs." Responsibility for network audit should remain with the IDS.

Ross Anderson's exceptional book 'Security Engineering' recommends
avoiding "convergence" when he talks about bookkeeping and fraud:

"With functional separation of duties, two or more different staff
members act on a transaction at different points in its path.  The
classic example is corporate purchasing.  A manager makes a purchase
decision and tells the purchasing department; a clerk there writes a
purchase order; the store clerk records the arrival of goods; and
invoice arrives at accounts; the accounts clerk correlates it with the
purchase order and the store receipt, and cuts a check; the accounts
manager signs the check.

The manager now gets a debit on her monthly statement for that
internal account; her boss reviews the accounts to make sure the
division's profit targets are likely to be met; the internal audit
department can descend at any time to audit the division's books; and
when the external auditors come in once a year, they will check the
books of a randomly selected sample of departments." [1]

The current market path is collapsing all of these decisions and
responsibilities into a single point; in business, the result is
massive undetected fraud.  An attack bypassing a "converged appliance"
will be unfiltered, undetected, and destructive.  Incident response
will be the only remaining strategy, and the responders will have
little or no evidence to analyze and act upon.

Sincerely,

Richard

[0] http://www.taosecurity.com/publications.html
[1] 'Security Engineering' by Ross Anderson (New York, NY: Wiley,
2001), p. 190. http://www.cl.cam.ac.uk/users/rja14/



--
David W. Goodrum
Senior Systems Engineer
NFR Security
703.731.3765


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How to choose an IDS/FW MSS provider, David W. Goodrum
Next by Date:  Re: How to choose an IDS/FW MSS provider, Richard Bejtlich
Previous by Thread:  Re: How to choose an IDS/FW MSS provider, Richard Bejtlich
Next by Thread:  Re: How to choose an IDS/FW MSS provider, Richard Bejtlich
Indexes:  [Date] [Thread] [Top] [All Lists]