Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Intrusion Detection Systems: RE: RE: Ramping up for another review

RE: RE: Ramping up for another review

From: Klaus, Chris <CKlaus_at_iss.net>
Date: Mon, 10 Jul 2000 22:02:25 -0400

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo_at_uow.edu.au
>
> Just on this, are there any open standards for getting IDS systems and
> firewall systems to talk to each other ? What I'd like to see is the
> ability to use open source products (like IP Filter :-) with products
> such as RS - and I'm sure others would too - and hopefully that would
> also entail allowing other products to be used in that manner too.
>

With a common IDS response protocol, there might be additional interesting
options for it to talk to besides a firewall. Maybe the IDS sensors if they
detect a massive attack in the middle of the night, it talks to the coffee
machine to start up a fresh batch and orders "Mega War Heads" from kozmo.com
(under snacks) as you come in for a long night to battle back the enemy.

There are atleast 2 IDS standards groups: IETF has IDWG (intrusion
detection working group) that is starting to lay the groundwork for IDS in
the industry and CIDF (common intrusion detection framework). I do not
believe either of them have tackled a standard for common IDS response
protocol. There has been alot focused more on a common data sharing format
across IDS products, so that if you deploy 4 types of IDS sensors nomatter
who makes the product, they can all correlate the events using the same data
format.

I would expect to see CVE or something equivalent over time to be extended
to the IDS area as well. That way, if you are using 2 types of IDS sensors
and they both detect something, regardless of attack name, the CVE # would
indicate whether they were seeing the exact same attack type (duplicative
but reconfirming) or different (maybe the 2 sensor picks up different
signatures).

As the number of IDS products increase, mutual customers between different
security vendors are going to demand interoperability between their
products, hence standards will become more prevalent in this industry. IDS
as an industry is really just beginning. IDS has been in research for many
years, but now we are seeing IDS/VA becoming a standard part of any good
security system, and now with customers actually deploying and relying on
IDS, this industry is going to evolve much more rapidly to supply and
fulfill the demand.

The IDS industry needs a standard for benchmarking the performance of IDS.
There's a lot of variables, and many times, some of the performance testing
in a lab environment don't reflect what a real network traffic looks like,
so the results may be slanted good or bed with the fake data generated, but
it may not tell the full story of how well the IDS does in an actual
environment. Also, coming up with a common group of signatures that are
turned on for performance testing for all IDS sensors can be tricky. Need
almost something like fragrouter but for performance testing that everyone
in the IDS industry can benchmark against. As was said earlier, something
to seperate the boys and men.

Cheers,
Chris
   
Received on Jul 11 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]