Hosting Provided By

Re: IDS is dead, etc

From: Bennett Todd <bet(at)rahul.net>
Date: Fri Aug 08 2003 - 15:18:15 EDT

2003-08-08T14:15:25 Scott Wimer:
> Here's the quote about perfecty implemented firewalls that I think is
> germain. Hopefully I'm not taking it out of context:

Yes, it is, and no, you didn't.

I really ought to retire from this, every time I try and clarify I spew out more ambiguities, which you rightly pounce on. Not just abiguities, even; your interpretation of my words is the most reasonable. I'm not expressing my intent well.

Yup. All code must be assumed to be vulnerable. What I should have written, to express what I was thinking, was instead something more along the lines of

        "A perfectly implemented firewall allows no protocols
        through for which there are horribly broken implementations
        in use inside."

Yup, all code must be assumbed to be vulnerable, but if you're going to use the internet, you've gotta let some code interact with it. You can greatly improve your life if the code you use seems to be well-designed and responsibly implemented, if it's got a good security track record --- few or no reported security bugs.

Won't be perfect, but combined with very aggressive patch mgmt to let you deploy a security fix quickly and cheaply, and active monitoring of security lists, it can be good --- and at that point, IDS is no longer playing the role of telling you about successful attacks, which was where I was really trying to go with this thread.

Do you need help?

> I may very well be putting words in your mouth (for which I
> appologize) when I write about the silliness of expecting that
> any protocol will be implemented vulnerability free -- on any
> platform.

Nope, you're responding reasonbly to the words I wrote, drat it. I keep eating 'em. I'm getting stuffed!

> After a brief review of Mazu's Profiler and Enforcer docs, I'm
> currious how it handles attacks that come in via encrypted means.

Mazu doesn't look into content at all (or at least, they didn't last time I looked closely into their product; there was discussion of some additions in that direction, possibly, in the future). They provide a really importantly new and exciting analysis of <srcip, dstip, proto, dstport, timestamp> tuples, over time.

An attack that Mazu could detect would be something like a worm that provokes anomalous network traffic patterns --- machines that didn't use to talk to each other, begin to; volumes change radically; etc.

> From what I've seen, to detect and respond to all categories
> of exploits in a timely manner requires some sort of defense
> mechanism implemnted at the host.

Sounds right to me. IDS marketers claiming their products detect all categories of exploits, aren't being truthful. That said, good IDSes are awfully helpful; they don't see everything, but they see a lot of stuff that's good to know about.

-Bennett

Do you need more help?

application/pgp-signature attachment: stored

Received on Mon Aug 11 10:48:20 2003

This message: [ Message body ]
Next message: Bennett Todd: "Re: IDS is dead, etc"
Previous message: Scott Wimer: "Re: IDS is dead, etc"
In reply to: Scott Wimer: "Re: IDS is dead, etc"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:16 EDT