Re: Network IDS

• Previous message: Martin Roesch: "Re: Belaboring the point of FPs"
• In reply to: Barry Fitzgerald: "Re: Network IDS"
• Next in thread: Barry Fitzgerald: "Re: Network IDS"
• Reply: Barry Fitzgerald: "Re: Network IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 22 Aug 2003 09:12:38 -0400
To: Barry Fitzgerald <bkfsec@sdf.lonestar.org>

>> Then a NIDS is not the right thing for you. Network Intrusion
>> Detection
>> is not about protecting systems.
>>
>
> I disagree. Yes, it would seem like something of a waste of resources
> to protect a single server/system with an NIDS sensor. But, if that
> particular system or group of systems is mission critical, then a NIDS
> is precisely what you need. So, even in that situation, I can see
> someone deploying a sensor to detect network traffic based attacks.

This is a semantic issue in which (I believe) the Andreas' post meant
that NIDS don't actually protect, they alert. A home security system
doesn't stop people from breaking into your house - but it does alert
someone to the fact that something wrong happened. I mean there are
other things that may scare the thief away, like the lights coming on
or the police pulling into the driveway, but the fact remains that most
home security systems (as well as a passive IDSs) don't stop the
intrusion from occurring.

At least, I'm guessing that's what you meant, Andreas?

> Now, the semantic argument that says that "NIDS is not about
> protecting systems" basically states that NIDS is about protecting
> networks.

I'm sorry, but I don't know what this sentence means. I don't
necessarily differentiate between "systems" and "networks" - should I?

> Factually, this is true - Host IDS is about protecting a *system*
> and NIDS is about detecting intrusions over the network. But never,
> ever, ever, ever forget that a network is composed of a group of
> systems.

My view (as an ex-IDS vendor employee) is that the IDS isn't actively
"protecting" anything (NIDS or HIDS, for that matter), but alerting you
when something does happen, so you can take action. IPS, OTOH, does do
"protecting" (and self-inflicted DoS) as opposed to just "alerting",
which the original poster should be aware of. It's my understanding
that this thread originated on the request for advice on how to
implement IDS to protect. Passive IDS indirectly protects in that it
imparts information/knowledge (i.e. power) to the user to help
undertake protective measures, but does no actual
protecting/prevention, in and of itself.

> For full system protection, he should be deploying a Host IDS on the
> servers/systems he's defending... but an NIDS is a really good idea
> for detecting attacks that happen over the line. What if someone
> compromises the system and kills the HIDS and deletes the logs in the
> middle of the night?

Let's examine your scenario further. Assuming someone did own the
system, kill the HIDS and wipe the logs. What did your H/NIDS do to
protect you? Nothing. They can provide forensic evidence (well, the
NIDS anyway in this particular example ;-), but no "protecting"
occurred. This is a point that too many folks pass over, in their
hurry to implement an IDS security solution.

Now, before all the vendors jump down my throat, pretty much everyone
is implementing offensive capabilities into the IDS like session
shootdown for passive IDS and in-line "firewalling on steroids", so
there are definitely active protective measures available (and I'm sure
someone will expound on how their IDS "can do all that, and more!").
This is the crucial point to my post though, if the original poster
wants something that will "protect" instead of "alert", then this needs
to be discussed early on in vendor negotiation for the ultimate
solution for their network.

My $0.02
FWIW
IMHO
YMMV
(you still listening Shipley?)

SfS

____
S.f.Stover
sstover@iwc.sytexinc.com

• application/pgp-signature attachment: PGP.sig

• Previous message: Martin Roesch: "Re: Belaboring the point of FPs"
• In reply to: Barry Fitzgerald: "Re: Network IDS"
• Next in thread: Barry Fitzgerald: "Re: Network IDS"
• Reply: Barry Fitzgerald: "Re: Network IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]