IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cisco CTR

From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 3 Dec 2003 14:09:30 -0500
On Dec 1, 2003, at 9:17 PM, Eric Hacker wrote:


Martin Roesch wrote:
This is an interesting point and worth debating I think. Accuracy is a tricky thing in passive and active systems, on the one hand active systems get to send what ever stimuli they want to elicit a response, but when they're wrong about their interpretation of the results they're 100% wrong and depending on the circumstances of the error they may give you information that's 100% wrong with 100% confidence (i.e. false positives/negatives).
Passive systems have more time to play with and therefore can introduce the concept of variable confidence levels and integrating data points over time ranges, but they are data driven and have to wait for the hosts/services/protocols/etc to reveal themselves. In the context of how accurate the two methods are, I think it'll be interesting to see just how accurate passive systems can be versus the false positive/negative rate of active methods.
There is no requirement that active VA systems produce a result based on a single stimuli-response cycle. The fact that they do is a weakness in product design and not active probes in general.
True, but that's the way they work right now. If you go into a sampling method you still don't see change in real time and you have to decide a number of things like frequency, sample size, probe types and coverage (i.e. full portscan vs well known ports), etc.
I like what I'm hearing about passive VA tools and how they can complement active VA. What I can't figure out is how I could get passive sensors deployed anywhere near the entire environment. I have IDS requirements for only a small part of the overall network and even a relatively small section of the server farms. I have VA requirements everywhere some idiot has access to a network jack.
Once again, VA is just a part of what we're trying to accomplish here. Regardless of what level of vulnerability awareness you get for every device that gets plugged into every network jack, you'd like to at least be able to know that they're there and what they're up to. In addition to that, we can start getting a feel for the kinds of vulnerabilities that are available on that machine based on it's behavior. You can also get proactive by hooking the passive change analysis to active scanners, etc.
The coverage model you select will depend on a number of factors, but you can have more or less fidelity with passive discovery systems based on their location and the configuration of your network. What we've been seeing in our testing on large networks with some of our beta sites is that the further away a node is from the sensor the lower the confidence and quantity of the information that a passive system will develop.
Populating passive network discovery sensors near network choke points (e.g. peering points) will probably be a good way to detect new hosts and changes in general that happen on your network. From the standpoint of security of your network, people who plug in and do nothing (i.e. plug in stealthily and just sniff) aren't going to be detected by either method, everyone else is going to show up by virtue of the traffic that they generate. 

     -Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


---------------------------------------------------------------------------
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: