NADS ( was RE: IPS comparison)

From: Joseph Hamm (jhamm_at_lancope.com)
Date: 08/31/05

  • Next message: Adam Powers: "Re: IPS comparison" 
    Date: Tue, 30 Aug 2005 23:11:08 -0400
To: "Seek Knowledge" <aseeker03@yahoo.com>, "Stefano Zanero" <s.zanero@securenetwork.it>, "Daniel Cid" <danielcid@yahoo.com.br>, "Focus-Ids Mailing List" <focus-ids@securityfocus.com>

    Hassan,

    You make some good points, but I'd like the opportunity to clear up a
    few things about my NADS:

    >IMHO comparing pure play behavior detection to IPS is like comparing
    apples and oranges.

    I couldn't agree more. I spoke up because Stefano brought up the topic
    of anomaly detection. One thing that does bother me is how IPS has been
    painted as a "magic bullet" by vendors (and even the press). IPS works
    great at the perimeter or other "choke points" in the network. However,
    in speaking with customers, it is too costly to deploy in a scenario
    that can give you adequate network visibility or proper blocking
    capabilities inside your organization. It should remain a perimeter
    solution, placed in a strategic location to protect key assets (example
    would be a group of critical servers), or perhaps one day merged into
    your network infrastructure (perhaps the future as painted by
    Tippingpoint and 3com).

    >NADS appears to be more similar to the old sniffer technology with the
    added feature of /possibly/ giving better clues
    >as to the cause of the anomaly from a security perspective whereas the
    old Network General style explains from network
    >problem perspective.
     
    Yes. NADS gives much of the value of traditional network
    troubleshooting tools like Sniffer. But this is only a fraction of its
    capabilities. These systems can gain network info from taps,
    SPAN/mirror ports, NetFlow, or sFlow. The result of this hybrid
    approach is a much broader network visibility than traditional security
    devices such as IDS or IPS can provide (at least for the same costs).
    The reason you get more visibility with fewer boxes deployed is because
    these systems can leverage the flow information (NetFlow or sFlow info
    exported from your routers/switches). You essential turn all of your
    routers and switches into security probes so you don't have to deploy
    (purchase and maintain) a box everywhere you want coverage. Many folks
    don't even know what NetFlow or sFlow is or how it can be used to
    provide them much needed security information (and save them money).

    >Protocol anomaly at least looks more promising in the IPS space as the
    action capability is there. In my experience, it definitely takes time
    baselining... but once
    >baslined, it could be a valuable tool (again when the action component
    - read IPS - is added).

    Yes, baselining takes some time. So does tuning a signature-based
    product. We should all know by now that IPS is easy to deploy and tune
    cause they've ripped out all of the signatures and only block on the
    handful that they know they can block on accurately. Don't get me
    wrong. With that being said, I still see the value of using IPS to
    detect and block low hanging fruit.

    On the other hand, NADS can have full network visibility, understand
    what is normal activity for hosts, alarm the administrator, and even
    take blocking action on the administrator's behalf. How does it do this
    without being inline? It leverages the existing network infrastructure
    to block attacks...something that is being called "infrastructure IPS".
    This allows the NADS to find the piece of network infrastructure closest
    to the threat (router, switch, firewall, etc.) and take blocking action
    there in order to quarantine the attack. Your IPS can't do that!
    IDS/IPS can only detect and block once traffic passes the device (which
    works great at the perimeter). Since a NADS system has complete
    visibility, it can instruct your infrastructure to take blocking actions
    and stop internal threats more effectively.

    >That whole Gartner prophecy of "IDS is dead" was referring to the idea
    that detection by itself is just not enough. Maybe behavior detection
    (NADS) might be good for
    >forensics... but I'll take IPS wherever I can get it thank you. If one
    can't afford IPS... then I guess going the forensics only route is
    better than nothing. But even >then, pure-play behavior-based solutions
    leaves the gap of not detecting known bad stuff.

    As mentioned above, NADS can detect and block malicious activity. And
    yes, they provide a wealth of forensic information. Lancope provides
    the last 30 days. As far as detecting known bad stuff, I suggest a
    hybrid approach. IPS at the perimeter to catch low hanging fruit, IDS
    internally to detect known attacks, NADS to understand normal behavior
    and detect/block on threats. Your better NADS can correlate events from
    signature based IDS. This means that they can weed through the
    thousands of signature-based IDS events that might be occurring daily
    and cherry pick those that correlate to a behavioral change from a host.

    A great example of this would be saving the administrator the time of
    sorting through 1000 RPC buffer overflow alarms generated by his IDS
    because his servers were not vulnerable and experienced no behavioral
    change after the attack. However, the administrator would be presented
    the one RPC buffer overflow that correlated to a host that went outside
    of its normal behavior and started scanning other hosts, connected to a
    remote server on some random port, etc.

    >btw... even Lancope has signatures (however outdated they may be)... so
    even Lancope realizes the value of signatures in the security tool box.

    They aren't signatures, but yes, we do have behavioral algorithms that
    look for suspicious activity. And yes, some of these do not require a
    baseline to determine malicious behavior so in vague terms they could be
    considered somewhat like a signature. For example, I don't have to have
    a baseline of a host to know that aggressive scanning on port 445 is
    bad, port 80 traffic that is not valid http is bad, etc.

    Hope this clarifies my position a bit.

    Regards,
    Joe

    Joe Hamm, CISSP
    Senior Security Engineer
    Lancope, Inc.
    jhamm@lancope.com
    404.644.7227 (cell)
    770.225.6509 (fax)

    Lancope - Security through Network Intelligence(tm)
    StealthWatch(tm) by Lancope, a next-generation network security
    solution, delivers behavior-based intrusion detection, policy
    enforcement and insightful network analysis. Visit www.lancope.com.

    -----Original Message-----
    From: Seek Knowledge [mailto:aseeker03@yahoo.com]
    Sent: Tuesday, August 30, 2005 6:58 PM
    To: Joseph Hamm; Stefano Zanero; Daniel Cid; Focus-Ids Mailing List
    Subject: RE: IPS comparison

    IMHO comparing pure play havior detection to IPS is like comparing
    apples and oranges.

    NADS appears to be more similar to the old sniffer technology with the
    added feature of /possibly/ giving better clues as to the cause of the
    anomaly from a security perspective whereas the old Network General
    style explains from network problem perspective.

    Protocol anomaly at least looks more promising in the IPS space as the
    action capability is there. In my experience, it definitely takes time
    baselining... but once baslined, it could be a valuable tool (again when
    the action component - read IPS - is added).

    That whole Gartner prophecy of "IDS is dead" was referring to the idea
    that detection by itself is just not enough. Maybe behavior detection
    (NADS) might be good for forensics... but I'll take IPS wherever I can
    get it thank you. If one can't afford IPS... then I guess going the
    forensics only route is better than nothing. But even then, pure-play
    behavior-based solutions leaves the gap of not detecting known bad
    stuff.

    btw... even Lancope has signatures (however outdated they may be)... so
    even Lancope realizes the value of signatures in the security tool box.

    Regards,
    Hassan Karim, CISSP

    --- Joseph Hamm <jhamm@lancope.com> wrote:

    > >Fact is, anomaly detection is so rare that it's
    > almost unexistant in
    > the commercial products, except for limited forms
    > >of "protocol anomaly detection" and for Arbor's
    > peakflow technology.
    >
    > Not true! The only reason this space hasn't gotten as much attention
    > over the last few years is cause everyone was busy buying signature
    > IDS and now IPS solutions.
    >
    > Pure Network Anomaly Detection players:
    > Arbor
    > Lancope
    > Mazu
    > Q1 Labs
    > (All of these have been around for several years despite the lack of
    > industry attention to this space. Am I missing any new ones?)
    >
    > Also, for a recent article on network anomaly detection systems
    > (NADS), check out this month's Information Security Magazine (cover
    > story). The NADS space (this is only the latest acronym used to
    > describe this group of products), is starting to get more attention
    > and press coverage. You will also find some articles that call these
    > products NBAD (Network Behavior Anomaly Detection) solutions.
    >
    > Many security companies can detect "anomalies" in some form. Almost
    > every security vendor has the word "anomaly" in their marketing
    > literature. You need to understand what they mean by an "anomaly" and

    > how they detect them.
    >
    > "protocol anomaly detection" and "network anomaly detection" are two
    > different things although detecting network anomalies can include
    > protocol anomalies as well. An IPS is a point solution, usually has
    > limited network visibility (unless you spend a fortune and deploy them

    > everywhere), and can only perform protocol anomaly detection (from
    > what I've seen). In order to have the best NADS, you need complete
    > network visibility and an understanding of what is "normal"
    > on your network.
    >
    > Rolling out NADS generally requires less appliances than IPS (read
    > less
    > cost) because one box can gather network info from multiple SPAN
    > ports, network taps, or get NetFlow/sFlow feeds from remote
    > routers/switches.
    >
    > Kind regards,
    > Joe
    >
    > Joe Hamm, CISSP
    > Senior Security Engineer
    > Lancope, Inc.
    > jhamm@lancope.com
    > 404.644.7227 (cell)
    > 770.225.6509 (fax)
    >
    > Lancope - Security through Network Intelligence(tm)
    > StealthWatch(tm) by Lancope, a next-generation network security
    > solution, delivers behavior-based intrusion detection, policy
    > enforcement and insightful network analysis. Visit www.lancope.com.
    >
    >
    > -----Original Message-----
    > From: Stefano Zanero
    > [mailto:s.zanero@securenetwork.it]
    > Sent: Monday, August 29, 2005 6:01 PM
    > To: Daniel Cid; Focus-Ids Mailing List
    > Subject: Re: IPS comparison
    >
    > Daniel Cid wrote:
    > > This "anomaly" detection will only detect 0-day
    > exploits for known
    > > vulnerabilities.
    >
    > A zero-day exploit is a curious marketing thing. You suddenly redefine

    > a difficult problem (catching zero-days) as a rather simpler problem
    > (create signatures that actually describe the vulnerability, which is
    > what any signature worth your licensing cost should do).
    >
    > So, presto!, you can rush up and put out some rather nice marketing
    > material on it.
    >
    > Fact is, anomaly detection is so rare that it's almost unexistant in
    > the commercial products, except for limited forms of "protocol anomaly

    > detection" and for Arbor's peakflow technology.
    >
    > Best,
    > Stefano Zanero
    > ---------------------------
    > Secure Network S.r.l.
    > www.securenetwork.it
    >
    >
    ------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from

    > CORE IMPACT.
    > Go to
    >
    http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    >
    ------------------------------------------------------------------------
    >
    >
    >
    ------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from

    > CORE IMPACT.
    > Go to
    >
    http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    >
    ------------------------------------------------------------------------
    >
    >

    Send instant messages to your online friends
    http://uk.messenger.yahoo.com

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

  • Next message: Adam Powers: "Re: IPS comparison"
    • Quantcast