Re: Assessment tools/Scanners

[roesch () clark net (Martin Roesch)]

"Ryan M. Ferris" wrote:
> Two major problems here:
>
> a) complicated attacks and attack forms become push button simple quickly:
> Today's black hat is tommorrow's script-kidde.  (Personally, I think if you
> read it in phrack, it's script-kidde already...)
> Today's nation-state is tommorrow's black-hat and so on.

I agree, but once it becomes a push button attack it's usually easy to
characterize into some sort of signature.  Take NMAP's fingerprinting
system, I only have a signature for one of the test packets that it
uses, but NMAP has an *infrastructure* of OS signatures built around
that particular fingetprinting methodology, so it's difficult for them
to change it now.  I take advantage of this and detect fingerprinting
attempts with a single packet signature (out of seven sent per f/p
attempt).

> This is just software development evolution.  What took raw assembly and C
> yesterday is now tommorrow's push button kit *.exe. (i.e. www.rootkit.com)

I've heard it called the software arms race. :)

>  b) "people with money" don't have that many other options.  Pop quiz:
>
> Someone name all the IDS (commercial or otherwise) that will reliably (say
> 90% or more with 5% or less false positive rate) detect:
>
> TCP/IP hijacking
> TCP/IP fragmentation and re-assembly
> frag router attacks
> arp cache and route poisoning
>
> now name me the IDS that will reliably catch the same attacks (at the same
> rate) at 25% (10/100baseT) utilization:

If you have the money and the inclination, you can implement solutions
to these and a host of other problems.  Starting with a good security
architecture and multi-layered defenses, building custom intrusion and
anomaly detection, implementing fun stuff like SSO and PKI, etc.  We all
know that intrusion detection isn't the end of network security, it's
just a component that happens to be popular right now.

When I was at GTE Internetworking, we built our own IDS for the
company's Global Network Infrastructure (coast-to-coast OC-192 backbone
and associated infrastructure).  There are no commercial solutions for
huge networks like this, but GTE had the money and on-staff (good!)
security people, and they built their own custom solution.  That was a
company that had the money (and expertise) to have other options.  If a
business depends on networking, it had better think hard about skimping
on security.

> So while it is true that "you have to do something", the question becomes:
>
> Is the something you did an 'out of date' shield that will now miss current
> hacker penetration?  If so, then the process is horribly flawed, you should
> forget about detection and concentrate on prevention and/or re-invent the
> conception of an IDS.  Compare this type of  viral detection software.  Can
> a virus maker survive that does not include the latest virus signatures?
> Only if you have a long term government contract perhaps.  (And even then,
> viral signature detection patches are now almost produced overnight in the
> case of a new outbreak.)  Why do we hold IDS development to a different
> standard?

I'd say that any ID technology capable of detecting a subset of your
threat environment is at least marginally useful/better than nothing. 
The challenge is getting the people who buy and implement these systems
not to lull themselves into a false sense of security.  An IDS that
detects a decent amount of hostile traffic is pretty good, one that
doesn't detect anything is useless, and one that detects everything is a
fantasy. ;) 

We tend to treat the technologies we discuss here like they're
monolithic solutions.  I don't think this is a good way to consider any
security technology, it doesn't work like that.  You have to set up
layers and peform defense in depth if you're interested in having "real"
security, and even then it sometimes fails for specific solutions.  I
guess I'm not sure what to say, there are no one stop solutions, you're
never completely safe once you're on a network.  Should we give up
networking?  I don't think so, so we have to present some sort of
solutions to people who want to be networked but are also interested in
doing so securely.

I think that Open Source is a path to truely good security products. 
It's the only way to cut past marketing hype and see products under the
"hot lights" of public scrutiny.  I can't hide that Snort has
limitations, for instance, but I don't recommend it as the only solution
to anybody's security needs.  If you're going to run Snort, you should
probably be running ArpWatch and PortSentry to fill in some of the
coverage gaps that it has.  This gives you an "ok" network based IDS
when considered all together, but it still doesn't do things like IP
defrag and TCP stream reassembly.  Is it useless?  No.  Is it a complete
solution?  Hardly.  Can it detect a wide variety of attacks and probes? 
Definitely.  Should people use it?  If they understand the risks
associated with the gaps that it has or their lack of funding forces
them, its not a bad starting solution.

> Question:
>
> Is is possible to do anomaly detection at layer 1?  Could a ASIC on a NIC be
> built to decode signalling at layer 1 so that IDS and anomaly detection
> could be responded to in hardware?

I'm sure that you can do some sort of anomaly detection at layer 1, but
I'll leave it to the PhD's out there to outline the theory so people
like us can get the engineering specifics together and implement
something practical.

     -Marty

-- 
Martin Roesch
roesch () clark net
http://www.clark.net/~roesch