Alarming (was protocol analysis)

From: John S Flowers (jflowers@well.com)
Date: 03/07/02 

Date: Wed, 6 Mar 2002 16:22:19 -0800
To: Robert Goldman <robertgoldman2000@yahoo.com>
From: John S Flowers <jflowers@well.com>

Robert,

This is a very good point and perhaps makes the argument for having
multiple intrusion detection systems in your network. I know that, if I
were worried about my corporate policy being violated, I would not rely on
only one type of alarm.

I would put every possible different kind of alarm into my network
environment and start comparing notes with them. Otherwise, as you so
eloquently state, "The basic simple fact is that there isn't a single
detection mechanism that can detect all attacks."

This is the same reason why most institutions with something of value
place a number of different alarm systems within their infrastructure:
they put security tape on the windows, lasers in the hall, motion sensors
in the room, pressure sensors on the floor & under the items of value,
alarms on the door and a security camera around the valuable. If one alarm
succeeds or fails, they have corroborating evidence from all their systems
to place some kind of value on the information they've obtained.

Frankly, I'm surprised we don't hear this argument more frequently.

On Wednesday, March 6, 2002, at 02:31 PM, Robert Goldman wrote:

>
> In-Reply-To: <Pine.LNX.4.43.0203050946080.5547-100000@mail.securityfocus.
> com>
>
> In my opinion, there isn't such thing as the "best"
> detection mechanism. The basic simple fact is that
> there isn't a single detection mechanism that can
> detect all attacks.
>
> For example, DNS cache poisoning can only be
> detected using protocol analysis (a superset of
> protocol anomaly detection). There is no signature
> that can pick it up for the simple reason that detecting
> DNS cache poisoning involves comparing DNS
> requests and replies which signatures cannot do.
> Other attacks such as Telnet root login, wiz and "i
> love you" (pardon for the kind of examples I have
> chosen) can only be detected with a signature as
> there is no anomaly in Telnet root login :-)
> Furthermore, other attacks such as port scans and
> tunneling of one protocol over another require each
> its own detection mechanism.
>
> I personally view signature-based detection as being
> able to detect "script kiddies" and other "amateur
> attackers". Smart and semi-smart attackers
> download exploits from securityfocus and slightly
> modify them so none of the signatures-based
> products will alert (this, of course, can have its own
> discussion thread - can signature based products
> even detect anything but script kiddies?). Protocol
> anomaly detection detects "smarter" attackers as
> well as previously unknown attacks (but fails to detect
> specific exploits). Other detection mechanisms are
> more specific and can detect small number of
> specific attacks.
>
> As for the debate regarding "what is a protocol
> anomaly", in my opinion there isn't a simple answer
> here. RFCs are a good start, but thanks to
> companies like Microsoft it is important to support
> what's in the "real world". Also, detecting things such
> as DNS cache poisoning does not come from RFC
> enforcement but rather requires the developer of the
> IDS product to figure out what bugs a DNS server
> developer (in the DNS case) have in their code (is
> that even possible?)
>
> I am still waiting for a good product which may
> provide multiple detection mechanisms and let me
> choose which one to use
>
> -- rob
>
>

Relevant Pages

  • Re: Alarming (was protocol analysis)
    ... Obviously, there are different ways to "detect" attacks, but John uses the ... no one should ever "rely" on any IDS for our ... As for Johns Metaphor of the motion sensor vs the pressure sensor, ... toward Intrusion Prevention as opposed to just Intrusion Detection. ...
    (Focus-IDS)
  • Re: Signature vs. Protocol Analysis
    ... there isn't a single detection mechanism that can ... Other attacks such as Telnet root login, ... chosen) can only be detected with a signature as ...
    (Focus-IDS)
  • Re: HTTP LOG files Labeling
    ... IDS, but we didn't use it during data collection. ... allowing for their detection with signature-based detectors. ... (particularly in detecting DoS attacks). ... sufficiently similar to real web traffic that results from the data ...
    (Focus-IDS)
  • Re: comments on handbook chapter
    ... with the detection side, and detection is one of the single most ... important aspects of any security mechanism. ... I'm not clear on how anyone is interpreting that passage to suggest that unequal weight should be given to one side or the other (detection vs. prevention). ... In the extreme case where we take absolutely every possible preventative security measure, logically, the only attacks that can succeed are those that we didn't know about, that we did not foresee, and thus that we could not prevent against. ...
    (FreeBSD-Security)
  • Re: Anomaly Based Network IDS
    ... > anomalies on the norm, rather than relying on a specific external ... > signature to tell it what to look for. ... company leads the market in anomaly detection systems). ... most of the attacks he ...
    (Focus-IDS)
Quantcast