Joseph Hamm wrote:
This completly rules out host-based IPS or any other endpoint security
mechanism, which IMHO is sub-optimal for any
serious security infrastruture innitiative.
I definitely see the value of host-based agents, however, they have their own
challenges. Cost of deployment on every host, difficulty to manage and
update, introduction of another attack vector (blackice incident). I should
have included this technology though. Sorry for the omission.
I guess at this stage the post starts to diverge towards a pitch for NADS as
the true "magic bullet" that you mention
being attributed to IPS these days.
LOL! Ooops! Didn't mean for it to come across that way, I'm just passionate
about the technology. No "magic bullet" here....just a technology that fills
a lot of security gaps.
To generalize further I would say that a NADS will not detect any attack that
does not differ significantly from what it >perceives as normal (be it
learned or predefined behavior) and in particular it will be crippled when
coping with covert >channels.
This assumes that the only method of detection is variation from a baseline
which is only a small part of the system. Covert channels are easily
detected. Think about application verification and changes in entropy.
Nope, I did not assume that. However, I did assume that any NADS
security product uses a model of reality which is basically an abstract
simplification of things seen in reality in order to make the problem
tractable under certain assumptions. When a given attack goes around
those assumptions and outside the established model, then the technology
that uses it does not prevent or even detect the attack.
Ok, so I thought about application verification and "changes in entropy"
It is not clear to me what you imply with this, entropy as in its most
strict definition in terms of information theory (ie.
http://en.wikipedia.org/wiki/Information_entropy) or something else?
Now think about differential power analysis, electromagnetic emissions,
timing analysis, http request "smuggling", ip_id, tcp_seq_num, RPC XID,
and/or DNS query/answer id "modulation", data encryption and
compression, network protocol "idle" or seemingly "idempotent" packets
and transactions, image file formats, application-layer protocol
definition inconsistencies, etc. (the list can go on-and-on forever)
So (to me) a good analysis would be not only to understand the things
that NADS technology CAN do best but also those that it CAN NOT do and
those that it CAN DO in a sub-optimal manner.
I understand your enthusiasm and I do think NADS technology can be
effective today and that it has a promising future but I doubt it will
ever achieve "completness" in terms of attack vector coverage.
Whenever it is complete *enough* today is a judgement call.
-ivan
---
To strive, to seek, to find, and not to yield.
- Alfred, Lord Tennyson Ulysses,1842
Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES
46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce@coresecurity.com
www.coresecurity.com
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
