RE: Okena StormWatch

From: kaleal (kaleal@hawaii.rr.com)
Date: 08/01/02 

From: "kaleal" <kaleal@hawaii.rr.com>
To: "'Shripal Meghani'" <meghani@nsecure.net>, <focus-ids@securityfocus.com>
Date: Thu, 1 Aug 2002 07:25:25 -1000

Comments Inline:

-----Original Message-----
From: Shripal Meghani [mailto:meghani@nsecure.net]
Sent: Thursday, August 01, 2002 4:09 AM
To: focus-ids@securityfocus.com
Subject: RE: Okena StormWatch

[Disclaimer#1] Opinions are my own, my company has nothing to do with
it. [Disclaimer#2] Opinions are not intended to criticize any _PRODUCTS_
but merely to discuss technical issues

| Now
| it might be argued that this is a good thing. but in practicality it
| creates very real nightmares in regards to system patching and
| upgrading.
|
| For example. there is a Microsoft hotfix out that deals with Commerce
| server..if this patch were installed on a particular HIDS product..the

| whole server blue screens repeatedly until the agent is stopped. This
| is an example of the Q&A required for a call interception technology
| vs. a log troller. The smallest change to the system can make
| everything completely unstable.

This is precisely that one should be very afraid of. However, it would
be definitely advisable to deploy such call interception technologies on
what are known as "Production Environments", where the software running
on the servers are seldom changed. The tech should be a definite no-no
for "development environments" or where there are a lot of variations in
the software running on servers. Were there any performance related
problems?? Most people seem to think that such technologies have a very
adverse effect on the performance of the system, but I don't think it
affects a system to a great degree. "Call Interception" in itself is not
a "heavy" technology (at the most it will create a tiny delay), but the
infrastructure that is often built around it is the bottleneck.

** Although I totally agree on a developmental environment
deployment..most companies do not have the capital to invest in a test
network in addition to a production one..in today's environment..its
hard enough to get the capex to purchase production equipment. As to
patching servers..it has been a hard road to get people to think about
patching systems on a regular basis..what this technology does is try to
get you to *not* patch right away; and that will take some relearning on
the part of the sys admins..

**As for performance..do you mean performance problems on the Commerce
server? Herein lies the problem..if the patch fixes a performance
related problem vs. a standard buffer overflow or other exploit..it is
harder to convince the user to not upgrade while a QA cycle runs. If
you were speaking about the performance of the HIDS agent itself..well
that depends on the vendor..I have seen anywhere from 2%-5% all the way
to 20% during event generation..

Another question that pops up is that of platforms. Most of the "call
interception" routines are implemented as drivers (either statically
loadable or dynamically loadable) or implemented directly into the
kernel. So, my guess is, that the stability will depend on the platforms
support for intermediary drivers (if it is available) and such related
stuff. Direct implementations in the kernel are a definite no-no, as the
risk would be quite high.

The real technology development would be on the analysis and correlation
of the trails generated by these hooks. One approach would be to simply
allow or disallow each call based on a policy definition. Anything thats
not on the policy should be suspicious. The other would be to observe
the total trail in its totality, wherein not one, but a sequence of
calls be treated as suspicious.

** Well..event correlation has been a desirable in many IDS products for
a long time..and it still isnt there yet. I havent really seen any
*outstanding* correlation engines for any product..Socrates from
Counterpane tries..as does Addamark et al..Okena does some rudimentary
correlation based on what it has seen..ie: I have seen this same
behaviour on 3 different machines..you better take a harder look. I
don't know of any other products which attempt correlation.

All said and done, this technology definitely holds the key to the
future advancement in the field of security. Lot of research is
(hopefully) being done in this area, and (even more hopefully)
commercial deployments.

** I totally agree with you..but until market demand for the technology
begins to emerge..it is harder to try and get management to approve such
a double edged sword technology..especially when it can mean downtime
because your sysadmin is being dilligent about patching the servers..