RE: NADS ( was RE: IPS comparison)

From: Joseph Hamm (jhamm_at_lancope.com)
Date: 09/02/05

  • Next message: James Williams: "RE: IPS comparison"
    Date: Thu, 1 Sep 2005 21:59:59 -0400
    To: Iván Arce <ivan.arce@coresecurity.com>, "Focus-Ids Mailing List" <focus-ids@securityfocus.com>
    
    

    >This completly rules out host-based IPS or any other endpoint security mechanism, which IMHO is sub-optimal for any
    >serious security infrastruture innitiative.
     
    I definitely see the value of host-based agents, however, they have their own challenges. Cost of deployment on every host, difficulty to manage and update, introduction of another attack vector (blackice incident). I should have included this technology though. Sorry for the omission.

    >I guess at this stage the post starts to diverge towards a pitch for NADS as the true "magic bullet" that you mention
    >being attributed to IPS these days.

    LOL! Ooops! Didn't mean for it to come across that way, I'm just passionate about the technology. No "magic bullet" here....just a technology that fills a lot of security gaps.

    >To generalize further I would say that a NADS will not detect any attack that does not differ significantly from what it >perceives as normal (be it learned or predefined behavior) and in particular it will be crippled when coping with covert >channels.

    This assumes that the only method of detection is variation from a baseline which is only a small part of the system. Covert channels are easily detected. Think about application verification and changes in entropy.

    >In any case, my point is that NADS as any other specific security technology is faulty and can be fooled rather easily, >only a well-thought combination of existing technologies can provide effective security. Such combination should be
    >thought of as the necessary to complement individual technologies and cover each other's weaks spots at an optimum cost >for given level of risk that you are willing to accept.
    >I realize that this is a quite generic statement but I am willing to elaborate on it if its of interest to the list or >out-of-band if its not.

    Right, all security tools can be fooled given enough determination, time, and money. I agree that a combination of products is ideal.

    Joe Hamm, CISSP
    Senior Security Engineer
    Lancope, Inc.
    jhamm@lancope.com
    404.644.7227 (cell)
    770.225.6509 (fax)

    Lancope - Security through Network Intelligence(tm)
    StealthWatch(tm) by Lancope, a next-generation network security solution, delivers behavior-based intrusion detection, policy enforcement and insightful network analysis. Visit www.lancope.com.

    -----Original Message-----
    From: Iván Arce [mailto:ivan.arce@coresecurity.com]
    Sent: Wednesday, August 31, 2005 3:48 PM
    To: Focus-Ids Mailing List
    Subject: Re: NADS ( was RE: IPS comparison)

    Joseph Hamm wrote:
    > Hassan,
    >
    > You make some good points, but I'd like the opportunity to clear up a
    > few things about my NADS:
    >
    >
    >>IMHO comparing pure play behavior detection to IPS is like comparing
    >
    > apples and oranges.

    Not necesarrily. Technology-wise it is indeed, but to the end users (your and other vendor's customers I presume) it may be quite relevant.
    I assume that they want to solve their security problems and they are not necesarilly stuck on any given technology for doing so.

    >
    > I couldn't agree more. I spoke up because Stefano brought up the
    > topic of anomaly detection. One thing that does bother me is how IPS
    > has been painted as a "magic bullet" by vendors (and even the press).
    > IPS works great at the perimeter or other "choke points" in the
    > network. However, in speaking with customers, it is too costly to
    > deploy in a scenario that can give you adequate network visibility or
    > proper blocking capabilities inside your organization. It should
    > remain a perimeter solution, placed in a strategic location to protect
    > key assets (example would be a group of critical servers), or perhaps
    > one day merged into your network infrastructure (perhaps the future as
    > painted by Tippingpoint and 3com).

    This completly rules out host-based IPS or any other endpoint security mechanism, which IMHO is sub-optimal for any serious security infrastruture innitiative.

    Regarding deployment of network devices that implement security controls (firewalls, NIDS, NIPS, content-filters/proxies,etc) my thinking is that they can't see want a network device can't see: What is going on at the OS/application level on the servers and workstations.
    Hence any security solution based solely on network appliances is partial and incomplete.

    > exported from your routers/switches). You essential turn all of your
    > routers and switches into security probes so you don't have to deploy
    > (purchase and maintain) a box everywhere you want coverage. Many folks

    Although this may sound compelling from a budgetary point of view it is also dangerous. That does not mean you should not do it, only that one should understand the risks of such strategy, its weaknesses and benefits.

    What you are doing, basically, is to turn some asset that was not designed to be a security device into a key component of your security infrastructure. This is reminecest of the long gone but never quite dead VLAN-as--an-effective-security-compartmentalization and NAT-as--an-effective-security-mechanism discussions that are periodically reborn.

    > On the other hand, NADS can have full network visibility, understand
    > what is normal activity for hosts, alarm the administrator, and even

    That is a far reaching statement that I thought no one would make these days. I guess at this stage the post starts to diverge towards a pitch for NADS as the true "magic bullet" that you mention being attributed to IPS these days.

    I posit here that a NADS (or NIPS) can not *understand* what is going on at the host level, what is running or what and why exactly it is generating the network traffic the NADS picks up. It can observe the network traffic of hosts as if they were little more than black boxes and apply those observations to a given -predefined- model (in the case of pure NADS), to a set of predefined triggers (in the case of pure signature-matching NIDS) or a combination of both (likely most of current commercial solutions)

    > ...
    > A great example of this would be saving the administrator the time of
    > sorting through 1000 RPC buffer overflow alarms generated by his IDS
    > because his servers were not vulnerable and experienced no behavioral
    > change after the attack. However, the administrator would be
    > presented the one RPC buffer overflow that correlated to a host that
    > went outside

    There are other, simpler and cheaper ways to do this that do not imply deploying NADS or NIDS. I will not elaborate on them because it would look like an ad for our own stuff :)

    > of its normal behavior and started scanning other hosts, connected to
    > a remote server on some random port, etc.

    In your example this would be true in as much as the NADS can actually see the compromised host generating traffic to other hosts in the internal network and as far as that traffic is significantly different from the "normal" traffic and/or the NADS perception of what is normal does not change. A large number of attacks (and specially internal
    attacks) can be easily obscured to prevent this.

    To generalize further I would say that a NADS will not detect any attack that does not differ significantly from what it perceives as normal (be it learned or predefined behavior) and in particular it will be crippled when coping with covert channels.

    > considered somewhat like a signature. For example, I don't have to
    > have a baseline of a host to know that aggressive scanning on port 445
    > is bad, port 80 traffic that is not valid http is bad, etc.
    >

    Yes, but valid http traffic (I assume this to mean "well-formed" as you can't tell what is really valid and what not if you dont know the application-layer logic that generates the http traffic) is not necesarilly good either. What about non-agressive scanning of port 445?

    In any case, my point is that NADS as any other specific security technology is faulty and can be fooled rather easily, only a well-thought combination of existing technologies can provide effective security. Such combination should be thought of as the necesasry to complement individual technologies and cover each other's weaks spots at an optimum cost for given level of risk that you are willing to accept.
    I realize that this is a quite generic statement but I am willing to elaborate on it if its of interest to the list or out-of-band if its not.

    -ivan

    ---
    To strive, to seek, to find, and not to yield.
    - Alfred, Lord Tennyson Ulysses,1842
    Ivan Arce
    CTO
    CORE SECURITY TECHNOLOGIES
    46 Farnsworth Street
    Boston, MA 02210
    Ph: 617-399-6980
    Fax: 617-399-6987
    ivan.arce@coresecurity.com
    www.coresecurity.com
    PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
    ------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------
    ------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it 
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    ------------------------------------------------------------------------
    

  • Next message: James Williams: "RE: IPS comparison"

    Relevant Pages

    • OT (FW: Microsoft Progress Report: Security)
      ... Subject: Microsoft Progress Report: Security ... and on the technology industry to continue ... cause of network breaches. ...
      (comp.os.vms)
    • [Full-Disclosure] FW: Microsoft Progress Report: Security
      ... Subject: Microsoft Progress Report: Security ... computing devices converged to create a truly global computing network in ... threatening the potential of technology to ...
      (Full-Disclosure)
    • RE : Experiences with Toplayer Attack Mitigator IPS
      ... Objet: Re: Experiences with Toplayer Attack Mitigator IPS ... I'm still waiting for the report from the network ... security vendors are so fond of touting nowadays? ...
      (Focus-IDS)
    • RE: Re: [fw-wiz] Vlans as effective security measures?
      ... >>investing in this kind of technology is to manage bandwidth ... >>traffic, not provide security. ... Practically speaking, VLANs are usually used to control traffic, and are ... > users computer or the users login to the network. ...
      (Firewall-Wizards)
    • RE: Experiences with Toplayer Attack Mitigator IPS
      ... Experiences with Toplayer Attack Mitigator IPS ... network intrusion uk guys who are coming out with the IPS shootout ... as security vendors are so fond of touting nowadays? ... > - Make firewall, VPN, and NAT rules interoperable across heterogeneous ...
      (Focus-IDS)