Re: NADS ( was RE: IPS comparison)

From: Iván Arce (ivan.arce_at_coresecurity.com)
Date: 09/02/05

  • Next message: Frank Knobbe: "Re: IPS comparison"
    Date: Fri, 02 Sep 2005 15:51:31 -0300
    To: Focus-Ids Mailing List <focus-ids@securityfocus.com>
    
    

    Joseph Hamm wrote:
    >>This completly rules out host-based IPS or any other endpoint security mechanism, which IMHO is sub-optimal for any
    >>serious security infrastruture innitiative.
    >
    >
    > I definitely see the value of host-based agents, however, they have their own challenges. Cost of deployment on every host, difficulty to manage and update, introduction of another attack vector (blackice incident). I should have included this technology though. Sorry for the omission.
    >
    >
    >>I guess at this stage the post starts to diverge towards a pitch for NADS as the true "magic bullet" that you mention
    >>being attributed to IPS these days.
    >
    >
    > LOL! Ooops! Didn't mean for it to come across that way, I'm just passionate about the technology. No "magic bullet" here....just a technology that fills a lot of security gaps.
    >
    >
    >>To generalize further I would say that a NADS will not detect any attack that does not differ significantly from what it >perceives as normal (be it learned or predefined behavior) and in particular it will be crippled when coping with covert >channels.
    >
    >
    > This assumes that the only method of detection is variation from a baseline which is only a small part of the system. Covert channels are easily detected. Think about application verification and changes in entropy.
    >

    Nope, I did not assume that. However, I did assume that any NADS
    security product uses a model of reality which is basically an abstract
    simplification of things seen in reality in order to make the problem
    tractable under certain assumptions. When a given attack goes around
    those assumptions and outside the established model, then the technology
    that uses it does not prevent or even detect the attack.

    Ok, so I thought about application verification and "changes in entropy"
    It is not clear to me what you imply with this, entropy as in its most
    strict definition in terms of information theory (ie.
    http://en.wikipedia.org/wiki/Information_entropy) or something else?

    Now think about differential power analysis, electromagnetic emissions,
    timing analysis, http request "smuggling", ip_id, tcp_seq_num, RPC XID,
    and/or DNS query/answer id "modulation", data encryption and
    compression, network protocol "idle" or seemingly "idempotent" packets
    and transactions, image file formats, application-layer protocol
    definition inconsistencies, etc. (the list can go on-and-on forever)

    So (to me) a good analysis would be not only to understand the things
    that NADS technology CAN do best but also those that it CAN NOT do and
    those that it CAN DO in a sub-optimal manner.

    I understand your enthusiasm and I do think NADS technology can be
    effective today and that it has a promising future but I doubt it will
    ever achieve "completness" in terms of attack vector coverage.

    Whenever it is complete *enough* today is a judgement call.

    -ivan

    ---
    To strive, to seek, to find, and not to yield.
    - Alfred, Lord Tennyson Ulysses,1842
    Ivan Arce
    CTO
    CORE SECURITY TECHNOLOGIES
    46 Farnsworth Street
    Boston, MA 02210
    Ph: 617-399-6980
    Fax: 617-399-6987
    ivan.arce@coresecurity.com
    www.coresecurity.com
    PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
    ------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it 
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    ------------------------------------------------------------------------
    

  • Next message: Frank Knobbe: "Re: IPS comparison"