Re: Is IDS/IPS worthless?

From: Olaf Gellert (og_at_pre-secure.de)
Date: 02/23/04

  • Next message: Mike Hoskins: "Re: Is IDS/IPS worthless?"
    Date: Mon, 23 Feb 2004 23:48:26 +0100
    To: "SecurIT Informatique Inc." <securit@iquebec.com>
    
    

    SecurIT Informatique Inc. wrote:
    > At 06:53 PM 21/02/2004, Olaf Gellert wrote:

    >> It is even worse: The system does not make people feel
    >> better (like a firewall), but it may show you all the
    >> dangers coming from the net and the vulnerability of
    >> you own network. So a big part of this is simple
    >> psychology.
    >
    >
    > Well, shoot me if I'm wrong, but putting the NIDS sensor behind the
    > firewall instead of in front of it (as you seem to imply) should BOTH
    > reduce the numbers of "dangers" that you should normally care about
    > (since the FW already blocks the one we don't have to care about), and
    > fill in the gap left by the false sense of security firewalls give (a
    > firewall makes people fell better, that has to be the worst reason I
    > ever heard to purchase a firewall) by applying intrusion detection
    > techniques to the traffic that the firewall has let pass thru. Because
    > firewalls let traffic pass thru, or else you wouldn't need a firewall at
    > all since you'd be better off without an Internet connection. They just
    > block traffic according to some rules in order to give access to some
    > network services, and it is on the traffic related to these services
    > that attention should be put on.
    Sorry, you are getting me completely wrong: I am doing my PHD in
    IDS technology and I certainly believe in the usefullness of IDS.
    I did not want to say: This is the way it should be done. I just
    said: This is the way, many people have setup IDS and are disappointed
    and suprised by the amount of generated alerts. The bargain of an
    IDS is much more difficult to see for people not deeply involved
    in security.

    > So in this regards, I think it is pretty doubtful to claim that with
    > IDS, you have nothing and you just have a bigger workload. I think you
    > unvoluntarily demonstrated one of the biggest issues with IDS, a lack of
    > understanding of how the technology is to be applied, and how it is all
    > inter-related and maintained.
    Well, would be great if you would have read my further paragraphs:
    |This is my view of IDS in the near future: IDS has
    |to be improved step by step. Eg. reduce the number of
    |false positives, generate more specific alerts according
    |not only to attacks used but also to the configuration
    |of the attacked system (who cares about an MS cmd32.exe
    |access on a linux apache webserver?). More dynamic
    |evaluation of monitored (but new and unknown) things
    |will be incorporated (honeycomb is one of the projects
    |in this direction). And in a few years IDS will be a
    |common network security technique.

    Until now we are not at all there: If you ask me, an IDS will
    be much more usefull, if it has knowledge about the whole
    network configuration. Most IDS I know will raise an alert
    on any attack that could work on an IIS-webserver. It would
    be very helpful if they knew that there is an apache running
    so the attack cannot be successful. The knowledge about
    unseccessful attacks is something for statistics, but nothing
    I would like to be wakened up for at three o'clock in the morning.
    So future IDS will know "there is an apache 1.3.27, build 81,
    running there on a SuSE Linux 8.2 on an Intel machine". So
    they are able to decide: "This attack will not be successful".

    And one step further: Future generations of IDS have to be
    "policy-driven", so they should know about what is considered
    valid usage of the network and probably they are able to proactively
    scan for holes in the actual network security configuration.
    I believe that IDS technology will be common and working in
    a few years, but I also believe that there is still much to
    be done to improve this technology.

    > If I were to prove my point of view with a metaphor, I'd say that your
    > claim is like saying :"I've just purchased a new car, but I don't have a
    > driver's license and never read the car's manual, but it's no big deal,
    > I can drive it all right. I've noticed I have a button to switch
    > headlights on, but I don't need it to drive at night and I think it's
    > just a waste of battery power, I can see all right at night from the
    > lightposts and the lights from the other cars."
    Well, would you really say that people have this kind of view
    on software? I have seen many people murning about their hard- and
    software without even trying to understand the complexity of their
    systems. And there is no drving license required for computer users.

    > I'm not downplaying the role of firewalls here, but thinking they are
    > sufficient by themselves still in 2004 is just asking for a reality check.
    Well, do you believe your IDS is ready to actually improve your
    security directly? I do not trust any IDS enough to enable
    reactive mechanisms (like sending RST-packets to close probably
    dangerous connections). The actual profit of IDS is more on the
    side of information-gathering (and this requires manual evaluation
    of the data) to help in decisions concerning the security. A direct
    benefit (like: switch it on and it improves your security) is
    not reached until now. It is just: Switch it on and analyse the
    data, gather knowledge about your security breaches and then
    decide how to improve your security.

    Cheers, Olaf

    -- 
    Dipl.Inform. Olaf Gellert                  PRESECURE (R)
    Consultant,                              Consulting GmbH
    Phone: (+49) 0700 / PRESECURE           og@pre-secure.de
    ---------------------------------------------------------------------------
    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
    Protect your network with the comprehensive security solution that integrates 
    six applications for ease of use and lower TCO.
    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.
    Download 30-day evaluation at:
    http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
    ---------------------------------------------------------------------------
    

  • Next message: Mike Hoskins: "Re: Is IDS/IPS worthless?"

    Relevant Pages

    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz2000)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.windows.server.sbs)
    • Re: Is IDS/IPS worthless?
      ... >>firewall instead of in front of it should BOTH ... >>fill in the gap left by the false sense of security firewalls give (a ... >IDS technology and I certainly believe in the usefullness of IDS. ... that is confusing IDS and NIDS together. ...
      (Focus-IDS)
    • Re: Secure Network Design (DMZ, LAN, etc)
      ... I'd like one outside the firewall and one ... I assumed I could make the first IDS ... should I have the IDS listening on the 192.168.1.0/24 network as well (web ... >Since the whole world will need access to your web servers, ...
      (Security-Basics)