IDS: RE: Alarm response strategies

[Frank Knobbe <frank () knobbe us>]

On Sun, 2004-07-25 at 20:35, Rob Shein wrote:
> Given the fact that IDS are prone to false alarms (and easy to make trigger
> with spoofed traffic), it's the general consensus that active responses are
> a bad idea.  For example, if I were to start scanning your network, and find
> myself suddenly blocked at the router or firewall, I would then spoof tons
> of UDP traffic from DNS servers that I believed you might use.  Your
> firewall would then block traffic from them, and bingo, I've just shut down
> your ability to resolve things.

How does the inline-type IDS differ then? Or are you under the
impression that your spoofed traffic gets blocked both ways? Why
shouldn't a system be able to block unsolicited inbound packets, but let
traffic that initiated from the inside out through without blocking it?
(Oh wait... that's a normal stateful firewall then, right?)

My point is, you can have reactive systems. They just have to be
implemented in a smart fashion so that silly "default attack scenarios"
don't create the DoS of the older days reactive systems. 

Once you have a smart reactive system, it will behave like the inline
IPS. Except that it is reactive (doesn't block first packet). But the
advantage is that you can react from more than one traffic monitoring
point. With inline devices you are limited to that one choke point.
Reactive devices can be triggered by sensors from all over your network.

That should be the main differentiator between those systems, not the
intelligence (or lack of) behind it.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part