Re: Network IDS

[Barry Fitzgerald <bkfsec () sdf lonestar org>]

Sam f. Stover wrote:

> This is a semantic issue in which (I believe) the Andreas' post meant 
> that NIDS don't actually protect, they alert.  A home security system 
> doesn't stop people from breaking into your house - but it does alert 
> someone to the fact that something wrong happened.  I mean there are 
> other things that may scare the thief away, like the lights coming on 
> or the police pulling into the driveway, but the fact remains that 
> most home security systems (as well as a passive IDSs) don't stop the 
> intrusion from occurring.
>
> At least, I'm guessing that's what you meant, Andreas?


OK - I'll bite here.

I suppose that depends on how you define "protect".  If you define 
"protection" as stopping the thief, then you're absolutely correct.  If 
you define "protection" as alerting you when something happens, then an 
NIDS does protect your network.  I see where you're going with this, but 
I don't think that the distinction is that simple to draw.  If I have 
lights on my house to try to scare away a burglar, or - more 
appropriately - if my front door is wired with explosives (sort of like 
an IPS blowing a packet away :) ) and if the burglar then tries to break 
in, they should be blown to bits, right?  Well, what if they get around 
the wiring of the bomb, having noticed that the bomb was there? (or 
assuming that it might be)  Then, any non-related system that detects 
the break-in is assisting in protection of the assets, correct?

I mean, we can go in circles on this analogy all day, and never come up 
with the answer.   Not to mention the fact that analogies usually end up 
not being applicable, so let's not get caught in that trap.  :)

So, I see what you are saying - and it's a semantic argument.  But, the 
given suggestion wasn't really enough to protect the systems.

> > Now, the semantic argument that says that "NIDS is not about 
> > protecting systems" basically states that NIDS is about protecting 
> > networks.
>
>
> I'm sorry, but I don't know what this sentence means.  I don't 
> necessarily differentiate between "systems" and "networks" - should I?


No - and that was precisely my point.  I was simply acknowledging that 
there is an argument that exists that says that and that it's a semantic 
argument, not a purely factual one.

> >   Factually, this is true - Host IDS is about protecting a *system* 
> > and NIDS is about detecting intrusions over the network.  But never, 
> > ever, ever, ever forget that a network is composed of a group of 
> > systems.
>
>
> My view (as an ex-IDS vendor employee) is that the IDS isn't actively 
> "protecting" anything (NIDS or HIDS, for that matter), but alerting 
> you when something does happen, so you can take action.  IPS, OTOH, 
> does do "protecting" (and self-inflicted DoS) as opposed to just 
> "alerting", which the original poster should be aware of.  It's my 
> understanding that this thread originated on the request for advice on 
> how to implement IDS to protect.  Passive IDS indirectly protects in 
> that it imparts information/knowledge (i.e. power) to the user to help 
> undertake protective measures, but does no actual 
> protecting/prevention, in and of itself.


Being alerted is a part of protection.  Again, I see your point on a 
semantic level, but refuse to accept that NIDS/HIDS have no part in 
protection of the infrastructure.  Do they, alone, act to protect the 
infrastructure?  No - but they play a part.

If you can build a security device that protects an asset without human 
intervention, then I'll be the first in line to buy it.  However, I 
don't personally think that a  completely automated, plug in and run 
security box is possible.  Until that time, no security device - be they 
IDS/IPS/whatever - will ever single-handedly act as a protector for the 
network.  They will always require a degree of human intervention.

So, I fail to draw a distinction between indirect protection (detection) 
and direct protection (prevention) in this context.  Both play a part in 
protecting the network.  Ultimately, protection of the network is the 
responsibility of the security analyst and the administrators, not the 
box in the corner.

> > For full system protection, he should be deploying a Host IDS on the 
> > servers/systems he's defending... but an NIDS is a really good idea 
> > for detecting attacks that happen over the line.  What if someone 
> > compromises the system and kills the HIDS and deletes the logs in the 
> > middle of the night?
>
>
> Let's examine your scenario further.  Assuming someone did own the 
> system, kill the HIDS and wipe the logs.  What did your H/NIDS do to 
> protect you?  Nothing.  They can provide forensic evidence (well, the 
> NIDS anyway in this particular example ;-), but no "protecting" 
> occurred.  This is a point that too many folks pass over, in their 
> hurry to implement an IDS security solution.
>
> Now, before all the vendors jump down my throat, pretty much everyone 
> is implementing offensive capabilities into the IDS like session 
> shootdown for passive IDS and in-line "firewalling on steroids", so 
> there are definitely active protective measures available (and I'm 
> sure someone will expound on how their IDS "can do all that, and 
> more!").  This is the crucial point to my post though, if the original 
> poster wants something that will "protect" instead of "alert", then 
> this needs to be discussed early on in vendor negotiation for the 
> ultimate solution for their network.

Well, at the moment of the attack, the HIDS and the NIDS did nothing to 
protect the asset.  And the question of IPS never came up.  I'd 
implicitely suggest that IPS/inline-IDS are valid solutions in this 
case.  I never said they weren't.  All I said is that placing the box in 
the DMZ and securing it's services isn't enough.  You have to go beyond 
that and deploy NIDS to protect against attacks that compromise the 
target system and "protect" it, if you will, even if that protection is 
post-mortem (detection tomorrow is better than not detecting a break-in 
at all).  So, to answer your question, IPS would fall into my suggestion 
by implicit direction - it adds another layer of security than simple 
bastion server securing and hence, serves a purpose in defense.

Before we get too tied up in semantics, let's not forget that the idea 
is to defend systems - whether that defense is indirect or direct is 
only a specific factoid of the technology being deployed - both are, in 
the long run, defense mechanisms.  :)

      -Barry




---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------