CRIME IDS technologies

From: Andrew Plato (aplato@private)
Date: Wed Aug 28 2002 - 17:36:02 PDT

  • Next message: Crispin Cowan: "Re: CRIME Checkpoint versus Sonicwall"

    I am changing the subject line of this, since we're veering off the original topic. You guys are lucky. I am at home sick today and have time to devote to these discussions. 
     
    >A firewall, in particular, is a configuration engine, so in this case
    >its correct configuration is critical to its security. However, the
    >*expressiveness* of the configuration engine strongly impacts the
    >correctness of the configuration: a proxy firewall tends to "fail
    >closed", causing lack of network access. A packet filter tends to "fail
    >open", tending to create security vulnerabilities.
     
    Fail is bad, regardless of open or closed. And honestly, all the firewalls we've discussed (WatchGuard, SonicWall, CheckPoint) to my knowledge will fail-closed. When the firewall fails for any reason, it kills the connection. That's about as fail-closed as you can get. 
     
    >> Yes, I agree. There is a place for secure operating systems. But IDS
    >> can start to deliver information about what's going on, on your
    >> network. Firewalls and secure OS components may keep hackers out. But
    >> and IDS has the unique job of telling you if anybody is even trying.
    >> Moreover, good IDSs have the capabilty to archive intrusion data,
    >> hence giving you evidence of an intrusion.
    >
    >True. But you have to be willing to invest the effort in hiring security
    >analysts to look at the data the IDS is generating.
     
    Not true. Most of the commercial IDSs include extensive documentation, training, and support to help even novice users come up to speed with the IDS and its capabilities. In the case of something like Snort, which is much more difficult to use, then yes, interpreting the results can be very hard. This is one of the many reasons companies choose commercial products. They have more sophisticated training and education offerings as well as local VARs, such as my company who can help make it work properly. 
     
    Don't get me wrong, Snort is a great IDS. It just isn't a universal solution.  
     
    >Elsewhere
    ><http://honor.icsalabs.com/pipermail/firewall-wizards/2002-August/012771.html <http://honor.icsalabs.com/pipermail/firewall-wizards/2002-August/012771.html> >,
    >I have *vehemently* argued that "blocking IDS" (also known as "intrusion
    >prevention" or "inline IDS") are *bullshit* terms designed to distract
    >customers from the fact that this IDS is now acting in the capacity of
    >either a firewall (for "blocking" NIDS) or secure operating system (for
    >"blocking" HIDS).
     
    I think you're getting hung up on the marketing of these technologies and not their true function. None of these "intrusion prevention" devices are designed to replace the role of a firewall. Firewalls do their job, but the fact is most organizations have firewalls that are full of holes. Either due to poor implementation or necessity.
     
    HIDS and active NIDS can fill a gap and offer another layer of protection after the firewall. They can also monitor internal use and block internal users doing things they should not do. An enterprise-firewall is 100% incapable of detecting or stopping an internal employee who is hacking into systems. An HIDS with a local firewall, properly tuned and managed, can. A NIDS can detect and shoot down internal users who are going places they should not. It can also spot and shoot down hackers who DO manage to make it through the firewall. 
     
    >The problem is that IDS are flakey: they have a significant
    >false-positive rate. If you turn an IDS into a blocking IDS, you either
    >get a huge false-positive problem (if you think Raptor's proxies are
    >fussy, you ain't seen nothin' yet) or you have to turn the IDS's
    >sensitivity *way* down.
     
    IDSs have false-positives because the users don't tune them. One of the largest problems I see in my work is companies that slapped an IDS on their network, turned it on, got a lot of false positives, freaked out, and then unleashed a firestorm of complaints. The simple fact is, they did not tune their system. 
     
    The blame for this is three fold: 
     
    1. IDS vendors don't tell users that these systems need configuration and integration time. 
     
    2. Users don't take the time to learn their products or hire consultants (like me) to help them. 
     
    3. VARs who hard-sell their customers on IDS solutions without the technical know-how to help their customers implement these products properly.  
    
    >People should be aware of what they are buying: "blocking NIDS" should
    >be properly called "signature firewalls", and compared against firewall
    >solutions. To some extent, industry is now recognizing this; Netscreen
    >(a firewall vendor) is acquiring OneSecure (an IDS vendor) to produce an
    >integrated gateway solution. At least it will be recognizable as a
    >firewall with IDS stuff in it.
     
    IDS's have their function, firewalls have theirs. I am not sure putting these two together on the same platform are a good idea. I think both products can be improved by adopting some features of the other. But the fact is, firewalls and IDSs are fundamentally different things. Perhaps this will change in time. 
     
    >You should check out Inline Snort (nee Hogwash). This is precisely what
    >you describe: Snort with blocking capability, basically Snort acting as
    >a nifty, signature-based firewall. As above, they turned the sensitivity
    >of Snort way down, so that it only blocks things that they are damned
    >sure are intrusions.
     
    Got it, installed it, used it...hogwash is interesting, but it is significantly more difficult to tune and manage than its commercial counterparts. 
     
    >Agreed. But IMHO IDS is on the expensive end of the spectrum. Not
    >because the technology is expensive (Snort is free, and arguably better
    >than most commercial solutions) but because of the expense of the human
    >incident analysts necessary to get any value out of IDS. IDS's are just
    >machines that spit out lists of suspicious events; you have to have
    >humans monitor them, or you might as well not bother.
     
    That's information. Valuable information that can do more than just block hackers. I have a whole set of customers running full-scale HIDS solutions on every single workstation. We've caught everything from snooping employees, unauthorized applications, even improperly configured applications. My favorite story is the consultant who tried to slip into his employer's network using a stolen root-level account. He would have made it through and stolen everything, but the HIDS picked it up and we caught the guy. That company could have invested 92 billion dollars in secure operating systems, 90000 bit encryption, and a firewall the size of a refrigerator - and none of that would have spotted this guy armed with a stolen root account. 
     
    The value of these systems goes well beyond merely security. Its monitoring at a very granular level. Catching events that would have gone totally unnoticed had these customers never had an IDS. 
     
    As for expense, that too is not always the case. There are many commercial solutions that are inexpensive. Moreover, Snort is not always a good fit for every environment. Snort is mostly a geek-tool that requires a great deal of skill and expertise to implement properly. It also lacks a wide array of convenience features, like central management. While Snort CAN do many things, most of those convenience features are custom designs or somebody else's side-project with questionable support. That just isn't acceptable to many organizations who need a reliable support, training, and maintenance mechanism. 
     
    Remember, just because YOU are comfortable with a particular technology or solution, does not mean EVERYBODY shares that comfort. There is wide range of skills out there, and as such, there is a wide range of solutions both commercial and open source to fill those needs. 
     
    >If you just want moderate, affordable security, stick strictly to
    >preventive technologies (firewalls, strong authentication, VPNs,
    >vulnerability scanners, and secure OS's) and leave the IDSs to people
    >with money to burn on security.
     
    IDSs are perhaps the ultimate preventative solution. They give you deep insight into what is really going on inside your network so network folks can make intelligent, informed decisions about security. This is insight that no firewall, encryption, or secure OS could ever provide. Moreover, when centrally managed, you can start seeing a wide array of interesting things and issue commands to block or more closely monitor from a single console. 
    
    -----------------------------------
    Andrew Plato, CISSP
    President / Principal Consultant
    Anitian Corporation
    
    (503) 644-5656 office
    (503) 201-0821 cell
    http://www.anitian.com <http://www.anitian.com> 
    ------------------------------------ 
    
    	
    
    



    This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 19:04:53 PDT