RE: host-based ids evaluation

From: Detmar Liesen (counter.spy@gmx.de)
Date: 08/16/02 

Date: Fri, 16 Aug 2002 09:50:03 +0200 (MEST)
From: Detmar Liesen <counter.spy@gmx.de>
To: toby.kohlenberg@intel.com, focus-ids@securityfocus.com

Toby,
I agree with you to some extent.
For personal computers you can do what you mentioned with tools like zone
alarm and co.
But for servers, many people don't like using features like autoblocking or
host-based firewalls because it could cause additional performance
degradation and there is of course the danger of misconfiguration.

Hmmmmm, yeah these are not really good arguments, I know. :)
But this is how many people think about it - especially some IT executives.
Some security admins I know don't like such features either.

Static Firewall rules do not prevent binding of programs to certain ports
either, because you could bind the netcat (as an example) to the allowed ports
as well.
I tested this with a webserver.

The reasonable way would be (as you outlined) tracking the netstat
information, but I am not sure if some processes could be hidden from netstat (???).

However, this would be the proper way (and an easy one, too) and I don't
understand why the IDSs under test (RS SS 6.5, Dragon Squire 5.2) did not detect
the netcat stuff out of the box (I used the windows maximum policy for RS
SS).
Shouldn't a decent HIDS detect a shell with no password getting bound to a
TCP port???
Could someone please test this with the new RS 7 Server Sensor?

BTW: My paper "Requirements for Enterprise-Wide Scaling Intrusion Detection
Products" that I announced some time ago is now also available for download
on www.snort.org.
Feedback appreciated. There already are a few points on my to-do-list, so
with your additional feedback, the next version would be even better.

Cheers,
Detmar

------toby kohlenberg writes--------
[snipped]
>This is why host firewalling should be included as a critical piece of
>the layered defense of a system. Either that or have a tool that will at
>the very least track netstat output and notice changes.
>Ideally though you should have a list of tools that are allowed to talk to
>the network that is updated frequently and modified to deny access when the
>network monitoring IDS for that host sees something suspicious.
>
>What's that you say? My expectations are too high? ah well, maybe someday
>right?
>
>Toby 

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

Quantcast