Re: Network IDS

From: Barry Fitzgerald (bkfsec_at_sdf.lonestar.org)
Date: 08/26/03

  • Next message: Abe Usher: "towards a taxonomy of Information Assurance (IA)" 
    Date: Tue, 26 Aug 2003 10:22:55 -0400
To: Andreas Krennmair <netnews@synflood.at>

    Andreas Krennmair wrote:

    >
    >It can _detect_ the traffic, but it does NOT protect your system! As
    >soon as you detect an attack, it has already happened, and if it was
    >successful, your system is compromised. So, use secure software, since
    >you can't rely on your NIDS. Why have a NIDS that records all attacks
    >against a machine, when the machine is compromised after one of the
    >attacks?
    >
    >

    I have a couple of points in response to this:

        1. Detection is a prerequisite for protection.
        2. I care about all attacks levied against my systems, and you
    should too. If the first attack succeeds - that absolutely is a high
    priority event, but it's not the only event that occurred. If someone
    breaks into your system, you should absolutely want to know everything
    that happened. If the first attack is used to gain a shell and a second
    attack is used to inject a listening backdoor port, I absolutely don't
    want to exclusively focus on the original attack and not focus on the
    other attack. Assuming that you're just going to be able to look at the
    target system and detect all of the abnormalities is naive.
        3. If you've found a list of absolutely 100% secure software, please
    share it. I've never seen a piece of software that hasn't had security
    holes. Until you have software that can't be compromised, you need
    other methods of detecting attacks (and detection, again, is a
    prerequisite of protection - and thus the two are intertwined).

    So, you still need a method of detecting attacks that is not tied to the
    target system which, once it's compromised, can't be trusted for anything.

    That is, of course, unless you've found a way of protecting against
    attacks that you don't know have happened - in which case I'd also like
    to know how that can be.

    >
    >
    >You have to understand that detecting an attack does not protect your
    >network/system against this attack, since a NIDS sensor is totally
    >passive. And intrusion prevention systems are getting "funny" as soon as
    >you encounter false positives.
    >
    >
    I completely understand that NIDS is a passive technology. It won't
    protect your network for you - but it's an essential component in a
    comprehensive defense strategy.

    >
    >Use sandboxing software, e.g. systrace. It works pretty well on a number
    >of Unix-like operating systems.
    >
    >
    >
    Yes, but sandboxing software is itself not without it's own issues and
    holes. It's not a be-all, end-all solution and it's irresponsible to
    portray it as such. Sure, use sandboxing software, that's great! But
    you still have to detect attacks against the box.

    For instance: if you have a web app that has an online user information
    database that is used by the web app. You can sandbox the processes to
    your hearts content, but the sandboxed app still needs access to the
    data, so the data is available from within the sandbox - in this case,
    your sandbox has done nothing but sit there.

    The ultimate point I'm trying to make is that there is no single
    solution to protecting systems. There is no box that can't be
    penetrated and there is no box with a red flashing light that sits in
    the corner and magically detects crackers. Until such a product exists,
    and it probably never will, you will still have to use tools to detect
    attacks and attempt to mitigate them using the detection mechanism.

              -Barry

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
    ---------------------------------------------------------------------------

  • Next message: Abe Usher: "towards a taxonomy of Information Assurance (IA)"

    Relevant Pages

    • Re: iis 6 ssl redirect initial login encrypted?
      ... NTLM hash. ... it works to redirect them to the ssl page. ... job of protecting the password itself from prying eyes. ... but to capture the hash you have to successfully attack the ...
      (microsoft.public.inetserver.iis.security)
    • Re: Bush Untethered
      ... to choose between protecting the nation precisely the way he wants, ... in Iraq when the attack on the Cole occurred and we weren't in Iraq ... when the second trade center attack occurred...yadda, yadda, ...
      (misc.news.internet.discuss)
    • RE: about shell code(expoit code) detector...
      ... about shell codedetector... ... > I see more about vulnerability in buffer overflow ... preventing attack - realtime ... Detecting these attacks at the packet or network level is the most popular, ...
      (Focus-IDS)
    • Re: Apache FreeBSD exploit released
      ... A network IDS capable of detecting the attack will show you where it comes ... using this encoding scheme in HTTP request send _to_ the server, ...
      (FreeBSD-Security)
    • Re: What happened to this group?
      ... minority of self opiniated posters whose only purpose seems to be to ... attack anything that may have something to offer as an alternative to ... "accepted" medicical practice. ... and stop protecting people from sharing information here, ...
      (misc.health.alternative)