Usefulness of Network Intrusion Detection Systems

From: Thomas (TheTom_at_UnixIsNot4Dummies.ORG)
Date: 05/25/04

  • Next message: Shafi, Shahid: "RE: Hi, I want to study IPS"
    To: focus-ids@securityfocus.com
    Date: Tue, 25 May 2004 14:20:57 +0200
    
    

    Hello everybody,
    I write this eMail to receive more valuable response
    about this issue. It is not meant as offense or as an act
    of arrogance.

    I recently had a discussion about the usefullness of
    network-based IDSs.
    In my opinion there is too much valueable effort wasted
    in developing engines to keep track of network-traffic
    collected via sniffing sensors for intrusion detection.

    Network-based IDSs should be limited to attacks on the
    network layer not the application layer.
    IP spoofing, ARP cache poisoning and similiar attacks
    can only be detected by NIDSs but parsing and keeping
    track of application data sent over the network as well
    as the current execution path state of an application
    is too complex and too error prone (often proofed in the
    past).
    Maybe people are just doing it for fun or to suffice the
    marketing hype... I do not know.

    This behaviour is similiar to a hostbased IDS that tries
    to monitor SQL transactions by analyzing arguments to
    syscalls like read() and write().
    Looking at a system like this should just force one reaction
    from an educated person: "What is this stupid thing doing?
    It operates on a different layer not on the the more abstract
    application layer."
    Yes, developing such a system proofs the misguided mind of
    a developer.
    What does the HIDS know about roles in an SQL environment,
    what about transaction ACLs, what about table contents?

    One argument I got was: "Having *one* NIDS at the right place
    helps to stop intrusions over the network. The admin doesn't
    need to update all machines constantly. If an attack is
    detected the IP will be blocked."

    Beside the fact that IP addresses can be spoofed and that the
    admin has to update the signature database too, the shellcode
    of "rm -rf / &" (or whatever) is still running even if the
    suspicious connection was interrupted.

    So why not develop an easy to use online update service that
    works on the various Linux distributions as well as on other
    Unices or even Windows system?
    This update service can monitor the updates sites of the vendors
    regulary and may be controlled centrally. So, there is not much
    more work then administrating an node-based or sniffer-based NIDS.
    And now the network is even more secure!

    Sure everyone can do what s/he likes to do in his/her spare-time
    but sometime it looks like uncontrolled activism. :)

    To avoid misunderstanding, I see the usefullness of NIDS in
    protecting network components or to detect attacks on the
    network layer, even for reasons of eForensic it is useful
    (s. compromises of Debian(???) servers),
    but everything else looks like a waste of time for me.

    Additionally companies do not care much about switches, routers
    or web-servers. Sure they got bad PR if it is compromised or
    turned off but there is no direct lost of money connected with it.
    The direkt value lies in the data, plaintext emails on hard disks,
    protocols about conference calls with co-companies, transactions
    to suppliers, and so on.

    Your comments are welcome!

    Bye,
    Thomas

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------


  • Next message: Shafi, Shahid: "RE: Hi, I want to study IPS"

    Relevant Pages

    • Re: [9fans] Do we have a catalog of 9P servers?
      ... network layer data units, ergo, NAT again. ... The "packet ...
      (comp.os.plan9)
    • SNA: conflicting opinions (was Re: VTAM Security issue)
      ... SNA should be ignored as futile raving. ... I tried to see on what narrow definition of the capabilities a "network" layer ... more than one understanding of what "internetworking" could be intended to ...
      (bit.listserv.ibm-main)
    • Re: Usefulness of Network Intrusion Detection Systems
      ... Usefulness of Network Intrusion Detection Systems ... > Network-based IDSs should be limited to attacks on the ... > network layer not the application layer. ...
      (Focus-IDS)
    • Re: Need a script to understand names posts
      ... the physical layer of the ISO model, augmented by providing all of the logic ... a network model that does more than just detect the fact that packets ... and brings them back onto the network as if they had never been lost. ... the packets previously lost will never ever be lost again, ...
      (microsoft.public.scripting.wsh)
    • Re: Machine learning
      ... They usually consist of neurons, ... input layer, the intermediate layer and the output layer. ... into the network using a method called "back-propagation". ... Train the network until it recognises characters reliably.. ...
      (borland.public.delphi.thirdpartytools.general)