IDS mailing list archives
Re: How to choose an IDS/FW MSS provider
From: Jason <security () brvenik com>
Date: Wed, 16 Mar 2005 18:08:12 -0500
inline. [...]
Invisible in the sense that the interfaces that pass traffic do not have IP addresses. And yes, the device must have an IP address on the management side, but that's generally deeper in the network. I'm not sure that's obscurity... that's simply smart management. Many customers have completely out of band management networks. And yes, it's possible to compromise systems that are simply sniffing... but it's much harder. I know of only one product that's been successfully remotely exploited in this manner, and the only reason that happened was because it was an opensource product that allows hackers to read the source code and look for ways to compromise it.Just cause your in L2 mode doesn't make you immune to attack(http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcpdump). The box still has to process packets just like any other L3 app. I'm not sure how bridge mode makes a box "invisible". Besides, the device still needs an IP on the local network for management. Sounds like security through obscurity to me.
Hmm, apparently your FUD thrower needs an update :-) http://www.google.com/search?q=witty+iss Last time I checked ISS was closed source.Then there is the Enterasys code that is apparently available for sale. ( http://tinyurl.com/3s84g ) IIRC the NFR sources were floating around a few years back too. The moral of the story is that sources are easy to come across if you want them and being closed only offers an obscurity advantage.
http://www.caida.org/analysis/security/witty/While the Witty worm is only the latest in a string of self-propagating remote exploits, it distinguishes itself through several interesting features:
* Witty was the first widely propagated Internet worm to carry a destructive payload. * Witty was started in an organized manner with an order of magnitude more ground-zero hosts than any previous worm. * Witty represents the shortest known interval between vulnerability disclosure and worm release -- it began to spread the day after the ISS vulnerability was publicized. * Witty spread through a host population in which every compromised host was doing something proactive to secure their computers and networks. * Witty spread through a population almost an order of magnitude smaller than that of previous worms, demonstrating the viability of worms as an automated mechanism to rapidly compromise machines on the Internet, even in niches without a software monopoly.
IPS technologies are actually just as (if not more) successful internally than on the perimeter. I would argue that they are not disparate technologies even today. NFR's appliances are essentially FreeBSD based, and so we've integrated FreeBSD's pf into the product which is a fully functional firewall. It's providing the pretty GUI overlay that CheckPoint and other traditional firewall vendors have had for years that is the hard part. Fortunately, we (the collective IPS vendor market as a whole) get to learn from their mistakes and successes.With the obvious success of IPS technologies at the perimeter, I find it hard to believe that IPS and FW technologies will remain disparatetechnologies for more than a few more years. The IPS vendors need to do oneof two things: 1. Find a good firewall vendor to acquire them or 2. Build a full featured firewall from scratch.
The IPS cannot be _in_ the networks to be protected and must remain at the borders. This means that you can have systems compromised within the internal borders and still end up with a big mess. An IPS is a useful tool for mitigating nuisance issues and rapidly moving threats only if it can respond before those threats occur. In the case of witty it was the threat. What if those systems had been inline?
Defense in depth is the key element and if you combine the FW and the Inline device or not you still have to monitor the networks to really know what is happening. How do you effectively prevent the exploitation of the Microsoft GDI+ vulnerabilities by dropping packets on a gigabit core? On a 100Mbs segment?
I will argue that you cannot. Disclaimers: - I have never seen any of the source code mentioned. - I do not know that those sources are actually available. - I work for a vendor. -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Re: How to choose an IDS/FW MSS provider, (continued)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 11)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Adam Powers (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Jason (Mar 19)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 19)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 23)
- Re: How to choose an IDS/FW MSS provider Ron Gula (Mar 24)
- RE: How to choose an IDS/FW MSS provider Chris Harrington (Mar 16)
- RE: Has ISS a SOC in Europe? Gregory Bell (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Martin Roesch (Mar 16)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 19)