Well thank you Mr. Ranum, another world according to Marcus speech. I am trying to figure out where you are coming from on this one Marcus. I have to agree with Adam, that even if I only can catch a percentage of intuder attempts using one of these IDS systems, then I have raised awareness, and my security posture. They may be clueless twits, but they can still bungle into gaining some access, and could damage my ability to conduct business. Of course If my firewall is doing the right things, I wouldn't need an NFR right? But since you have so eloquently attacked in past commentary, the very same firewall industry that you more than anyone else in this business helped to create and dismissed it as irrelevant, I can't help but wonder where you are going with this. Let's see, NFR doesn't do IDS per se, so it must be meaningless...hmm, now that must be some sort of thought process. No Marcus, I am one of your biggest fans, after all, your thought process has lead to my being able to feed my family, two cats and a dog, but I have to say you are off base here. Sure IDS is not the end all answer, it is an industry that is still in it's infancy. But to arbitrarily dismiss it does not make sense. The same can be said of forensic tools such as your new pet project. If you never get hacked, because your firewall was strong, or your IDS detected and alarmed teh administrator so they could head it off before any real damage was done, then I don't need an NFR now do I ? And if I am not willing to prosecute, or take proper corrective action against bumbling insiders, then why record it in the first place? The bottom line here is that there are a lot of tools out there, that are used by professionals to provide them with information they percieve as being important to them, or their management. Use them if you want to, heck build your own and sell it if you need to, after all, that is what you have been doing as you worked your way through TIS, V-ONE and now NFR. But to attack other's products is not worthy of your reputation. Unfortunately, IDS systems seem to be the hot ticket these days. Forensic tools are not, and will not be in my opinion until the legal system has had more time to establish legal precidence. Business owners looking for tools these days are going to ask one very important question. What value is added with an IDS versus NFR. I can clearly demonstrate what an IDS gives me, teh NFR concept is not so clear. -----Original Message----- From: Marcus J. Ranum [SMTP:mjrat_private] Sent: Tuesday, April 14, 1998 1:04 PM To: firewall-wizardsat_private Subject: Re: Intrusion Detection Adam Shostack writes: > I believe intrusion detection to be a misnomer, and that the >really useful class of software is attack detection. Attacks (land, >teardrop, phf, password file sucking) are relatively easy to detect >with network sniffing software. Adam, To me the big open question in ID is "why?" not "what?" If you have a network you believe to be vulnerable to the attacks listed above - FIX THEM. If you've fixed them, then why do you care if someone uses them against you? Are you actually going to backtrack and try to prosecute? Good luck! Back when I was a firewall vendor (yes, none of this stuff is new!) I built a firewall that alerted the system manager whenever certain classes of weirdness occurred. That was always Very Cool and it was the first thing they turned off after it began pestering them constantly. As the vendor, I wished I'd never put it in because I kept getting calls that went something like: C: "Hi - my firewall is saying it's getting spoofed packets! Help!" V: "What am I supposed to do about it?" C: "Well, can you make it stop? Can I call the police?" V: "No, and No. It's just informational, really." C: "Does this indicate that someone's likely to break through the firewall?" V: "No, it indicates that we thought ahead, blocked that avenue of attack, and it doesn't represent a problem at all. I guess you now know that your firewall works, or something." C: "Uh, uh, uh..." The whole problem with ID (*ESPECIALLY* what Adam calls "attack detection") is that it detects something basically useless. So you're under attack. Big deal. Your defenses can either handle it, or they can't. If they can, then relax, have a homebrew, and don't get pestered about land, teardrop, etc. If they can't, you'll know right away anyhow when your system slags. There are really only 2 good reasons I can think of for ID systems: 1) To develop a threat level model as to how often you are attacked 2) To detect clueless people inside your organization who are attacking outside sites The first one is kind of silly but I suppose it makes people happy to know that they were SATAN scanned 2,102 times last year and that their firewall blocked 1292 clueless twinks who tried using the "same old stuff" as the previous 1291 clueless twinks. The second one is valuable if you actually are going to do something about clueless twinks inside your network. I suspect this must put university network managers in a real quandary. In short, my views are exactly, precisely 180 degrees the opposite of Adam's. I don't have TIME to be notified about the clueless twinks. What I want is fallback defenses that will detect when my first line has failed. This is what I am calling "policy based intrusion detection" and I'll probably wind up explaining it here in a white paper or long posting some night. :) It's the "SOMETHING HAS GONE TERRIBLY WRONG. WARNING WILL ROBINSON!" mechanism. I care a lot about that, and the "why?" for such a system is obvious. The second part is, of course, what NFRs are for. Once you've found that something's happened, then how do you figure out what it was? mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:30 PDT