Re: Real Traffic (was Re: BlackICE IDS)

[jflowers () hiverworld com (John S Flowers)]

Despite the fact that our IDS isn't shipping yet, this is exactly the
theory that we're using for our vulnerability scanner [aka ARMS] and
plan to use for the IDS [aka ARMOR].  

We're [today] deploying multiple Network Security Appliances at a
customer location and allowing them to communicate with one another by
way of a controller system that performs load-balancing, real-time
vulnerability updates and other tasks that can be centralized.  This
way, the scanner at a remote location in the customer network can "see"
servers that would otherwise be protected from the central location by
router ACLs or departmental firewalls.  It's distributed scanning with
total knowledge sharing on the management console.

To extend this concept, we're working on an advanced system that
coordinates all the findings from the remote IDS sensors and runs the
data through our risk management suite in real-time.

This also ties in with a concept that we're very much on board with,
called "depth of access" -- where any system, no matter how deep in the
customer network, can provide information about the depth of access for
a specific attack. 

Of course, it's easier said than done and I wouldn't expect version 1.0
of ARMOR anytime before mid-2000 from us.  In the meantime, we've
considered providing modules that extend NFR or other IDSs with the
ability to pass information into our risk management system, but do not
have a shipping version of this solution either.

P.S. Before anyone calls vaporware on these products, you really should
look at our website or take ARMS for a test drive.  It's very real
[today], with the exception of the IDS functionality being released in
mid 2000.

I hope I'm not starting to hype our technology too much -- but my frame
of reference has been rooted in the Hiverworld methodology for the last
4+ years.

Trevor Schroeder wrote:
> Hmmm... Here's an interesting question:
>
> It seems like a pretty obvious thing, but I don't recall seeing anything
> on this list recently about it (which is not to say that it hasn't floated
> by... ;), but has anybody used multiple NIDSs to provide higher
> sensitivity with fewer false positives?
>
> It seems like you could increase the sensitivity of your various NIDS but
> then require a subset (maybe a majority) to agree that an attack is
> occurring in order to trigger an alarm.
>
> Basically, it seems like an nice application of N-version software,
> assuming there aren't correlated faults (faults in this case being either
> false positives or missed detections).
>
> Of course there are some problems.  Perhaps one NIDS picks up an attack
> that nobody else does, no matter how sensitive they are.  In that case,
> you've just written off a good detection as a false positive.
> Additionally, you need to have a means to automatically correllate the
> data between your various NIDS or you've largely negated the benifit...
>
> Anyhow, anybody done it?  Thoughts?
> ..........................................................................
> : "I knew it was going to cost me my head and also my swivel chair, but  :
> : I thought: What the hell--better men than I have risked their heads    :
> : and their swivel chairs for truth and justice." -- James P. Cannon     :
> :........... http://www.zweknu.org/ for PGP key and more ................:

-- 
John S Flowers                   <jflowers () hiverworld com>
Chief Technology Officer         http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment