RE: Changes in IDS Companies?

["Ralph Los" <RLos () enteredge com>]

Community:

        I'd like to take a minute to address the 'in-line' fear.  There
needs to be some physical fail-over capacity within IDSes.  I have one
particular example I'd like to bring up.
        I've been successfully deploying NetworkICE's (now ISS, I know)
Guard product.  I don't know how many of you out there do use it, but I
love it.  It does intrusion detection with alerting and pattern matching
(although this is hopefully improving?) as well as has a fail-over pod.
By this I mean that in case the box fails to hearbeat to the little pod
connected 'around it' (to bypass it) over the serial connection to the
pod, a failure is detected and the little pod cuts over to a
pass-through mode.  At that point you have a huge problem because your
IDS is down...but at least your network isn't, right?  This is precisely
the reason I can't emphasize enough the importance of layered security.
Folks used to have the mis-conception that a firewall was enough.  Now
apparently we (security folk) have taught them that firewall + IDS is
enough.  There is no such thing as 'good enough' in my opinion.  It's
all about acceptable risk versus fiscal responsibility.  Can a firm have
a firewall w/DMZ's, an in-line active IDS (as mentioned) infront of and
behind the firewall (double protection) as well as HIDS (host-based
IDSes)?  Of course!  Is this a substitute for patching your crappy IIS
boxes?  NO!  But anyway, I'm off on a rant.  I hope my point was clear.

-= _______________________________________________________ =-
-= Ralph Los          -= Sr. Security Engineer             =-
-= _______________________________________________________ =-
-=            EnterEdge Technology, Atlanta                =-
-= -----------------------------------------------------   =-
-= Providing blanket  -= Desk:      (770) 955-9899 x.206   =-
-= protection against -= Email:     rlos () enteredge com     =-
-= the unknown and    -= Email Pgr: rlospage () enteredge com =-
-= unwanted 24x7x365. -=                                   =-
-= ======================================================= =-

::: -----Original Message-----
::: From: Martin Roesch [mailto:roesch () sourcefire com] 
::: Sent: Wednesday, October 16, 2002 5:47 PM
::: To: Avi Chesla
::: Cc: focus-ids () securityfocus com; 'Samuel Cure'
::: Subject: Re: Changes in IDS Companies?
::: 
::: 
::: Network intrusion prevention systems are also relatively 
::: untested and 
::: still first generation.  The Hogwash wrapper for Snort (and 
::: the in-line 
::: mode being rolled into Snort) are both good technologies 
::: and intrusion 
::: prevention in general is a good idea, but the distance 
::: between "good 
::: idea" and a concept that's ready for larger market acceptance is a 
::: pretty wide gap.
::: 
::: One of the things that's been bothering me about the rush 
::: to build and 
::: deploy Network Intrusion Prevention Systems (NIPS) lately is the 
::: complete lack of discussion about the downsides of such 
::: technologies.  
::: My consternation falls into a couple categories that deal with the 
::: failure modes of NIPS and the political issues associated with 
::: deploying this kind of technology.
::: 
::: Most NIPS are built on the concepts pioneered by intrusion 
::: detection 
::: systems, protocol anomaly detection, signature-based analysis and 
::: traffic anomaly detection (port scans, etc).  Intrusion detection 
::: techniques are pretty well known for their applicability to 
::: specific 
::: problem areas, signature-based detection doesn't pick up attacks it 
::: doesn't know about, anomaly-based detection can't pick up signature 
::: based events (/cgi-bin/phf) very effectively.  The melding of these 
::: techniques is critical to providing good coverage from the 
::: perspective 
::: of a sensor designer, which is why Snort does signature and 
::: protocol 
::: anomaly detection (and several other tricks).  The problem 
::: is that *no* 
::: technology is capable of picking up every possible attack, a mix of 
::: technologies is often the best way to go to provide 
::: effective coverage 
::: of the security picture on a given network.
::: 
::: With this in mind, the basic question becomes "how do we 
::: know if our 
::: NIPS misses an attack?"  If the NIPS misses an attack,  we 
::: better have 
::: a pretty good NIDS/HIDS in place to let us know what happened.
::: 
::: How about failure modes of the technology itself?  It's been shown 
::: repeatedly in tests that NIDS technology can be notoriously 
::: unstable in 
::: a number of scenarios, what happens if that instability is 
::: translated 
::: to an in-line device?  We're either going to have a fail closed 
::: scenario (protected network is DoS'd)  or a fail open 
::: scenario in which 
::: the protected network becomes unprotected, possibly for a 
::: protracted 
::: period of time.  In the first scenario the failure mode will make 
::: itself apparent very rapidly, but in the second a NIDS/HIDS 
::: is going to 
::: be required to record and inform the security/admin staff about the 
::: problem as well as attacks during the lapse.
::: 
::: There's also the political battle of deploying another in-line 
::: technology in the network, etc. that will be fought anytime one of 
::: these is deployed, although I  think that fight will happen in the 
::: enterprise and not in the mid-tier market.
::: 
::: I'm an advocate of a layered solution.  Firewalls, NIDS/HIDS, 
::: authentication, crypto, etc. all continue to have their 
::: places on the 
::: network.  I think that host-based IPS will see quicker 
::: acceptance in 
::: the market than NIPS due to the lower "price of deployment/failure" 
::: associated with the host-based technologies, they're more like AV 
::: systems in their positioning as an end-host oriented security 
::: mechanism.  I think that there will definitely be 
::: convergence of the 
::: firewall and the NIDS, but I think it's early to declare 
::: these systems 
::: as the next generation, the political battle will have to 
::: be fought and 
::: the operational limitations of the technologies will have 
::: to be found 
::: before the final place of IPS in the network security 
::: "ecosystem" will 
::: be known.
::: 
:::       -Marty
::: 
::: -- 
::: Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
::: Sourcefire: Snort-based Enterprise Intrusion Detection 
::: Infrastructure roesch () sourcefire com - http://www.sourcefire.com
::: Snort: Open Source Network IDS - http://www.snort.org
::: 
::: On Tuesday, October 15, 2002, at 04:45 AM, Avi Chesla wrote:
::: 
::: > I totally agree with you. Next generation IDS  ,also being called
::: > Intrusion
::: > Prevention Systems or Perimeter Security devices are the 
::: next step in 
::: > the
::: > evolution of the Traditional Intrusion Detection Systems. 
::: Vendors such 
::: > as
::: > Intruvert, Tipping point ,  Vsecure Technologies , 
::: Lancope, Forescout ,
::: > TopLayer (Mitigator) etc, are example of some.
::: > All these vendors claim to have an Intrusion Prevention 
::: Systems which
::: > usually has some kinds of Adaptive capabilities, they do 
::: behavioral and
::: > protocol analysis and do not based on attack signature 
::: (most of them) 
::: > , they
::: > sit in-line (most of them), they mitigate attack without 
::: be depended in
::: > other products to do the blocking...
::: >
::: > Best Regards,
::: >
::: > Avi Chesla
::: > Director of Research
::: > Vsecure Technoliges, Inc.
::: > www.v-secure.com
::: >
::: > -----Original Message-----
::: > From: Samuel Cure [mailto:scure () netpierce net]
::: > Sent: Monday, October 14, 2002 10:54 PM
::: > To: focus-ids () securityfocus com
::: > Subject: Changes in IDS Companies?
::: >
::: >
::: > Just noticing some changes with some known IDS companies 
::: and wanted
::: > some
::: > feedback from the community. Because Marcus Ranum left 
::: NFR earlier 
::: > this year
::: > and Ron Gula has left Enterasys Networks, I am 
::: questioning the future 
::: > of
::: > some early-on IDS companies. I mentioned some time ago 
::: that the IDS 
::: > market
::: > will eventually consolidate and it seems like things are 
::: moving in that
::: > direction.
::: >
::: >
::: > To further enforce my point, word on the street is 
::: TippingPoint is now 
::: > seeking for someone to buy them out. Does anyone else 
::: have anything 
::: > that could help validate this or these types of trends in IDS 
::: > companies?
::: >
::: >
::: >
::: > Thanks in advance!
::: >
::: > -------------------
::: > Samuel J. Cure
::: > Security Specialist
::: > NetPierce Security Services
::: > www.netpierce.net
::: > -------------------
::: >
::: >
::: 
:::

Attachment: smime.p7s
Description: