Re: comparison of NFR vs RealSecure - auto update

[bruneau () ottawa com (Guy Bruneau)]

"C.M. Wong" wrote:

> ---
> First of all, I never specified ISS in my prior examples of stealth mode.
> Almost all IDS products I heard of can do stealth mode. Now, in the back of
> mind Mark, stealth mode is more about hiding the IDS engine (not console) so
> that there is no way it can be hacked (unless the console in an internal or
> secured zone gets hacked as well).
>
> Please forgive me, but I do not fully understand when you say "not knowing
> what
> is really in the update worries me a lot". Say an IDS was schedule to
> auto-update in the middle of the night. If immediately a new attack is
> launch, the iDS would be able to detect. If there is no auto-update, the IDS
> would only be updated in the morning when the admin comes in the morning,
> which by then a host was already compromised and it'll be too late. (And the
> customer initiate the auto-update, not the vendor. And I hope it's nothing
> to do with traffic re-direct (RSA for instance), I would assume, the iDS
> vendors site have knowledgeable security people and the customer have their
> bind updated and configured correctly ;)... let's not go into here.)

The major fault I can see with auto update is if it is done during "silent
hours" and no one is there to monitor the update.  If the patch that is applied
fails, the system will be down until someones comes in to check the sensor(s)
in the morning.  I think I could wait a few hours without those new signatures
so I could verify the stability of the vendor recommended patch on the
sensor(s).

A way of avoiding the detection of the sensor(s) and monitoring station(s)
would be to download the file to a workstation or server that is not related to
the sensors(s) and perform the auto update internally. This could be
accomplished in a similar fashion as the virus vendors (push-pull model) are
presently doing. The new dat file is pushed to the customers' server and the
users pull the new dat file. This could be incorporated in the IDS as an option
for those who don't want their IDS to connect anywhere on the Internet.

Guy

> Another thing Mark, in most org, there are a lot of lamers security
> conscious admins people. Even if the new vulnerabilities arrives in CDs,
> they're not gonna study the exploit in detail... but maybe study what are
> the consequences if deployed on their network (like generating huge false
> alarms or paging you in the morning etc). But even than, coming into the
> office at 9 am  to find out you have a full log of false alarms is better
> than getting one of your servers compromised and which you have no idea off
> (And let's just stick to network IDS, not host IDS or tripwire etc).
>
> Maybe I have missed something completely and couldn't catch what's on your
> mind Mark. Marcus or any of you gurus out there?
>
> Rgrds,
> Wong.

--
Guy Bruneau
Ma page est a/My page at: http://www.penguinpowered.com/~bruneau