Hosting Provided By

AW: Changes in IDS Companies?

From: <detmar.liesen(at)lds.nrw.de>
Date: Tue Nov 12 2002 - 02:40:41 EST

Hi folks,
I am watching this thread for quite a while now and I think it's time for me to throw in my 0.02$.

First off let me explain my understanding of terminology: -An Inline-IDS or Gateway IDS does not have to be a Network Intrusion Protection System.
The difference between a NIDS and a GIDS is just that the latter is placed inline instead of attached
to a SPAN port or tap.
-A Network Intrusion Protection System blocks or resets "bad" connections and hacking attempts.
So a NIPS does not have to be an Inline-device automatically.

I guess we all agree so far :)

As a rule of thumb I would never use countermeasures by transmitting packets on the wire, which would be the case if I used TCP-reset with NIDS. Remember: Every bit of information you give to a hacker could help him to evade your security-systems.
Dropping packets silently by using a GIDS is far better.

Now the false-positive issue:
I had various discussions about that issue with many people. The main concern was that a NIPS/GIDS often sits in a place where many heterogeneous networks are connected to a single line (e.g. the internet-link) and thus it is very difficult to properly tune those systems.

I don't have enough practical experience to tell if the following idea is good, but I suggest using a GIDS as a protecting device with just the most important signatures that are knownt to reliably detect/block those attacks we fear most:

-worms

-trojans/backdoors -well-known exploits
For all the other stuff that is apt to produce false positives i suggest using a passive network ids (NIDS)

Additionally, NIPS vendors should always maintain a list of those most common and most dangerous attacks that also gives information about known false-positives for these signatures.

Cheers,
Detmar

Do you need help?

-----Ursprüngliche Nachricht-----
Von: Andrew Plato [mailto:aplato@anitian.com] Gesendet: Samstag, 9. November 2002 04:40 An: focus-ids@securityfocus.com
Betreff: Re: Changes in IDS Companies?

Toby Kohlenberg wrote

> Very simply, when you are talking about controlling

Yes in theory, not so in practice. First off, most IPS, NIPS, GIDS...whatever you want to call them...shouldn't be tuned to the point where they are mass blocking anything that is a "maybe" to the engine. I see a NIPS as essentially a "smarter firewall." It isn't going to filter out every conceivable attack, just the ones that can be identified with a great deal of accuracy.

In that sense, the blocking ratio should be reasonably reliable. However, in theory I think you're right. There is a danger with these devices making "bad decisions" about traffic and blocking acceptable stuff.

> This means you need a standard IDS sitting behind it/next

This is still true. A conventional NIDS and HIDS always have value because they are "data collectors." A good IDS does more than just shoot off alerts, but can feed you data to start making your own decisions. In the same way that a NIDS can give you the heads up that maybe you need to make a change to a conventional firewall, a NIDS could do the same for a NIPS or HIPS solution.

> So, I'd guess the first question I'd ask anyone

Do you need more help?

This question really depends on where you put a NIPS. This is why I am still hesitant to suggest people put these in front of an entire network. A segment or single system is one thing. A whole network is a different thing.

However, like all systems, properly tuned, they can offer a lot of protection capability.

I suspect one of the problems with NIPS is that they will get confused with firewalls. Firewalls are, for most places I visit, set & forget devices. Organizations plug them in, configure them, and then never look at them again. A NIPS is more like an IDS. And you can't leave an IDS alone. It needs love and attention. The same is true of a NIPS. You can't just let it whirr. Somebody has to be paying attention to what it is doing. And when stuff gets blocked that should go through, the system needs to be tuned.

>As I think about it, this discussion really has a

> That means no statements like "We use a cutting edge

Vendors are always hesitant to make these claims, because the instant they make them, somebody comes out with Ingredient X Hacking Tool which, fairly or not, can ruin the entire credibility of the product. Never mind that the Hacking Tool only operates in the 4th dimension running off a antimatter engine, if a link to the source code hits slashdot, the company's reputation tanks.

Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation

503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile

www.anitian.com

Received on Tue Nov 12 17:07:21 2002

This message: [ Message body ]
Next message: Dominique Brezinski: "Re: Changes in IDS Companies?"
Previous message: charles lindsay: "Re: Capturing NID traffic with CISCO"
In reply to Andrew Plato: "Re: Changes in IDS Companies?"
Next in thread: Dominique Brezinski: "Re: Changes in IDS Companies?"
Reply: Dominique Brezinski: "Re: Changes in IDS Companies?"
Reply: detmar.liesen(at)lds.nrw.de: "AW: Changes in IDS Companies?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:04 EDT