Re: Changes in IDS Companies?

From: Andrew Plato (aplato@anitian.com)
Date: 11/09/02


Date: Fri, 8 Nov 2002 19:40:13 -0800
From: "Andrew Plato" <aplato@anitian.com>
To: <focus-ids@securityfocus.com>

Toby Kohlenberg wrote

> Very simply, when you are talking about controlling
> traffic to the sort of high value, production server
> that you are likely to want to put these
> things in front of, you cannot afford for it to
> ever generate a false positive.

Yes in theory, not so in practice. First off, most IPS, NIPS,
GIDS...whatever you want to call them...shouldn't be tuned to the point
where they are mass blocking anything that is a "maybe" to the engine. I
see a NIPS as essentially a "smarter firewall." It isn't going to filter
out every conceivable attack, just the ones that can be identified with
a great deal of accuracy.

In that sense, the blocking ratio should be reasonably reliable.
However, in theory I think you're right. There is a danger with these
devices making "bad decisions" about traffic and blocking acceptable
stuff.

> This means you need a standard IDS sitting behind it/next
> to it watching the same traffic with a more flexible
> implementation that may generate false positives from
> time to time but will also be more likely to catch
> well-hidden or novel attacks. The beauty of a passive
> IDS is that it can make mistakes and you don't get
> punished for it automatically.

This is still true. A conventional NIDS and HIDS always have value
because they are "data collectors." A good IDS does more than just shoot
off alerts, but can feed you data to start making your own decisions. In
the same way that a NIDS can give you the heads up that maybe you need
to make a change to a conventional firewall, a NIDS could do the same
for a NIPS or HIPS solution.

> So, I'd guess the first question I'd ask anyone
> trying to pitch one of these things to me is, how
> have you validated that you have a false-positive
> rate that approaches zero and how would I tune the
> box to ensure it will never cut off legitimate traffic?

This question really depends on where you put a NIPS. This is why I am
still hesitant to suggest people put these in front of an entire
network. A segment or single system is one thing. A whole network is a
different thing.

However, like all systems, properly tuned, they can offer a lot of
protection capability.

I suspect one of the problems with NIPS is that they will get confused
with firewalls. Firewalls are, for most places I visit, set & forget
devices. Organizations plug them in, configure them, and then never look
at them again. A NIPS is more like an IDS. And you can't leave an IDS
alone. It needs love and attention. The same is true of a NIPS. You
can't just let it whirr. Somebody has to be paying attention to what it
is doing. And when stuff gets blocked that should go through, the system
needs to be tuned.

>As I think about it, this discussion really has a
> lot in common with the cross-over rate issue in
> biometrics (the ratio of false-positives to
> false-negatives). Any vendors care to provide a
> meaningful explanation of how they are handling this?

> That means no statements like "We use a cutting edge
> combination of signatures, protocol analysis, heuristics,
> anomaly detection and our very own Ingredient X!".

Vendors are always hesitant to make these claims, because the instant
they make them, somebody comes out with Ingredient X Hacking Tool which,
fairly or not, can ruin the entire credibility of the product. Never
mind that the Hacking Tool only operates in the 4th dimension running
off a antimatter engine, if a link to the source code hits slashdot, the
company's reputation tanks.

___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation

503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com
_______________________________