Re: IDS is dead, etc

Likewise Bob, it truly is an interesting branched discussion and I think that we're heading in the direction that this discussion should really go in. If it's Gartner's contention that firewalls will obsolete IDS', then how can this happen? Well, the answer is: only in an ideal world. And as we all know, utopias are works of fiction unless they exist in environments of strict control - in which case, an ideal world ceases to be utopian for everyone and becomes simply the utilitarian dream of a singular entity. Since we all interact on a peer basis on the internet, such measures of strict control would ultimately be problematic, and hence the ideal world is unlikely ever to be.

         Let me say this: in defense of Todd's now clarified point - there is some value in discussing ideal situations. (People who know me know that I am a master in such acts of mental <insert questionable verbiage here>... heh) How can this be? Well, perhaps there are better ways to shape traffic or to do low-level protocol analysis (deep packet inspection, protocol anomoly detection and whatnot) that can assist in reducing *SOME* of the known vulnerabilities. There's nothing earthshattering in this. Protocol anomoly detection is really nothing new, it's actually the same thing as validating I/O before it's processed - only it's applied to a network (Don't take this statement too seriously, it's a loose comparisson to the basic idea) setting. And certainly one of the hallmark arguments for Free Software/Open Source Software is that it allows you a finer degree of control over your environment.

        So, the question, in my mind - while we're discussing ideal situations and using firewalls to control your environment such that exploitation becomes most difficult - is what opportunities are manifested to do this kind of I/O validation and shaping on both the side of entering the network and also verification on the service/daemon end. The firewall scenario really only works if it's correlated with what the daemon is tested to expect, again - in an ideal world. You have to know what kind of data you want to expect before you can filter all other data out - and be able to enforce that and still be functional.

        Of course, the real clincher in this argument is that the firewall becomes a form of stateful in-line IDS since it's pattern matching for validation in the first place. Hence we've never really moved beyond IDS, we've simply changed which box it's running on and changed the intent of it's operation. The technology is still very much the same even in this ideal situation, and must still be deployed. You're still inspecting packets looking for known payloads (for lack of a better term).

       So, ultimately, discussions of the ideal will help advance IDS and firewall technology so that we can better determine what kind of traffic we're going to see in the future. But, perhaps more important, there may actually be situations where these types of ideal networks can be built (I'm thinking of things like ATM networks and systems that should ALWAYS take the same kinds of traffic in the same format), and for these types of networks - we absolutely should think about this - it advances the security of at least that part of the infrastructure.

       Thanks for reading this far if you have. All comments, as usual, are welcome.

                      -Barry

Bob Buel wrote:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

>Gentlemen:

• Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
• Automatically Control P2P, IM and Spam Traffic
• Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm

  ---