Re: IDS standards (was: IDS taps in a switched network...)

[rgula () network-defense com (Ron Gula)]

At 07:38 PM 11/1/99 -0500, you wrote:
> > > Even if the switch can buffer petabytes of data, it still has
> > to exit out a
> > > spy port that operates at 100 Mbit/s. Sure, a buffer can empty out its
> > > contents and eventually trigger an alarm, but by then the
> > vulnerable segment
> > > may well be off the air.
> >
> > In the amount of time it takes the common security admin to notice the
> > alarm, and do the leg work, it would be off the air anyhow.
>
> Not if the IDS automatically triggers some action to stop an attack. For
> this to happen, the IDS must be able to see the attack in the first place.
> Seeing something dribbling out of a buffer 10 seconds after the fact doesn't
> cut it.

This is an awful lot to ask of a switch. Real time responses to attacks
make great marketing, but don't work in the real world. IDS's are not that
sensitive to the many different types of DOS attacks. Making an arbitrary 
decision to filter an IP can open yourself up for an IDS-DOS. I'm also
concerned about the delta in time it may take for a switch or firewall
to add in an ACL of some sort. Even if an IDS could detect attacks perfectly
in zero time, the switch may still have a bunch of evil packets sitting
in output queues, input queues and transiting it's backplane. If there is
a concern about fast attacks on high bandwidth networks, taking 500ms to
add in an ACL may be to long. 

Making filtering decisions about a network should require some 
knowledge of the network topology so the switch/ids does not allow false 
positive attacks from BGP peers, upstream DNS servers, business partners, 
etc., to cause IDS-DOS outages. This knowledge of the local network is a 
'radical departure' for most switch manufactures. Switches are getting
more sophisticated, but I think they still have some ways to go before 
they understand what is happening from an enterprise perspective. 

Ron Gula
Network Security Wizards