IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SourceFire RNA

From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 3 Dec 2003 14:51:21 -0500
On Dec 2, 2003, at 12:49 PM, Lior Tal wrote:


Rob,
I had no intention to say or insinuate that since Snort is reactive it
is of less value. I had only questioned the ability of a passive
solution to perform what is indicated on SourceFire's web site. Discover ALL DEVICES, ALL SERVICES AND ALL PORTS. That sounds a bit difficult not 
to say impossible.
It should probably say all *active* devices/services/ports/protocols, and it's 100% true that it will. 


Therefore additional statements in this material, and
again I do not mean to offense any person or company, sounds inaccurate
at best.
Once again, how many people are plugging into your network that don't announce their presence via network management protocols (e.g. ARP, DHCP) and don't talk to any servers or services either on your network or outside of it? What do you do when systems that haven't been through your change management and policy compliance processes just pop up on your network? Do you need a scanner to know that something is up that needs careful attention and perhaps a vulnerability scan? How are you going to know that they've shown up if not via passive methods? How are you going to know what they're doing and who they're talking to? Using vulnerability scanners and nmap? What kind of exposure can you tolerate as far as not knowing that they're there for the interstitial periods between your active scanning sweeps? Is this more or less tolerable than being able to detect its presence in real time?
RNA understands your active network, it will see your network in action and tell you about everything that it sees in an easy to manage set of reporting and data analysis interfaces. There is a pretty good argument to be made that people have a lousy understanding of their active side of their networks much less the inactive side, so if we can't even solve the problem of understanding what's happening in our network environments, what's running, who's running it, who's talking to what on which machines, how is that picture changing day to day and minute to minute then what good is providing air tight security for locking down every instance of discard that's running on the net?
RNA IS NOT A VULNERABILITY SCANNER! RNA and scanning should only appear in the same sentence as a matter of contrasting two different approaches to understanding what is on your network. I've been seeing the term "passive scanning" getting thrown around a lot around here over the past few weeks and that's about the most oxymoronic thing I've seen on this list ever. RNA exists to give you understanding in a nondeterministic manner about what is on your network and what people are up to. You can use it to track down the root cause of worm infections on your network, you can use it to provide auto-tuning for your IDS, you can use it to build target-based IDS (which isn't just NIDS + back end correlation, by the way), you can use it to auto-tune your firewall, you can use it for policy enforcement, you can use it about 50 different things. Putting RNA into the "vulnerability analysis" box is like saying a dial Xeon server is really good at organizing your recipes. Sure it is, but it can also do a whole bunch of other things that people find more useful than just organizing recipes! 


"Passive VA" - if it is impossible to detect all devices
properties, how can you tell its vulnerabilities?
It's impossible to do it with an active scanner too, active systems have false positives and negatives and can be hidden from, there's no such thing as 100% secure. 


Providing partial
information in that context sounds like "half pregnant woman".
"Eliminate false alarms" - again if you can not tell the detailed
information about a device and in real-time, it sounds like impossible.
You need to understand why the passive VA component was developed for RNA. One of the goals of RNA is to provide us with sufficient context about the network environment so that we can differentiate between attacks that can be real and those that can't and prioritize our event notifications more effectively. We aren't seeking to provide you with 100% coverage of precise vulnerabilities in every case for every device on your network, we're trying to understand the families of attacks that can and cannot effect machines on the network so that we can gauge the impact of attacks that are happening on the network. We're also seeking to develop the context about the targets in the environment regarding what OS and services that they're running so that we won't be operating our NIDS (or TIDS) at an informational disadvantage from the attackers that can develop specific knowledge about the environment. We developed passive VA techniques so that we wouldn't have to rely on infrequent (and sometimes incorrect) data coming from active scanners that had no notion of a network that changes in real-time. It is complimentary to active VA systems currently. 


I truly think NIDS are a must in every network and that snort is
apparently the most deployed one.


Ditto. :)

    -Marty

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


---------------------------------------------------------------------------
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: