Re: IDS vs Application Proxy Firewal

My two cents on this issue as a Phd student working on an AD system for a DBMS (who just wants get his Phd at the moment and not get into a debate :-)).

I was at the Recent Advances in Intrusion Detection Conference (RAID 2008) recently where one of the topics for a panel discussion was "Life after antivirus". The main take-away from the discussion was that even top anti-virus companies are looking at whitelisting approaches to augment the existing blacklists in order to win the battle against ever increasing malware variants. They propose to come up with an combination of whitelists, blacklists and reputation based systems. Here is the link to one of the relevant presentations:

and to others


Stefano Zanero wrote:
Omar Herrera wrote:

Well formally yes, you are right, but you say you are whitelisting
/blacklisting from the point of view of whom, the vendor of the security
control or the user?

In the case of anomaly detection systems, from the point of view of the
network or system where the system is deployed, as almost all systems of
this kind perform learning.

bad? Let us say for example that using FTP is bad for a company and good
for another, for any reason you want. You run your AD tool but the
activity is not present for whatever learning time frame you want. Then
you see the activity shows up in both cases, what will the tool say and

Nope, you are thinking that learning happens somewhere else than on the
deployment site. This is not the case.

how will act on it? The only way it won't be wrong in any of the two
cases is to tell the user "something unusual is happening and let
him/her decide.

Which is what any detector will do, anomaly or misuse based.

they put the time and resources). The whole idea of white listing is to
get a complete set of known good activities, so that you can safely ban
"everything else".

Which is the whole idea of firewalling. The fact that the perimeter is
coming down crashing and burning should tell a tale on this.

if people take the time and effort to make a risk assessment and
separate things (DB there, card processing system here, Web front
application over there, and not everything in the same place)

Yes, on systems that are perfectly secure and designed to be perfectly
secure from the ground up, intrusion detection is pretty useless, I agree :)

On the other hand, we usually think of real world systems ;)

same problem, and it is not just ploymorphism. Fred Cohen demonstrated
formally that no software can automatically decide if another piece of
software previously unknown is malware or not.

Please, don't get all computer-theoretical on me. Cohen (and a lot of
other people, actually) reasoned on the basis of the halting problem,
and of completeness of computation. It is extremely interesting, but has
really nothing to do with what we're discussing here.

Well, I would like to be wrong :-). If you have something that can
automatically learn without false positives or negatives

Oh, I can provide you with thousands of prototypes which work without
false positive, OR without false negatives :)

If you want neither, well, that's something you cannot have. Any
learning system will let you trade off between those values.

complete white list (from the users perspective) or gives the same level
of security (with a formal proof) using another approach

The point is that you cannot have white list, so setting them as a
metric for existing security systems does not make any sense.


Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to to learn more.

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to to learn more.