“This is exactly why I think network security is a dying creature. Sure, you still need it, but it’s completely commoditized and easy to circumvent now. It feels like 1998 all over again today. Rain Forrest Puppy proved most of the IDSs out there could be evaded, but the signatures themselves are just as easy to evade”

Wow. That’s a bit harsh to equate one bad Snort sig to the state of network security. It’s especially harsh when it’s a sig written by an individual and not by people who do that for a living, like Asurent or commercial IPS vendors. I don’t see network security as a dying creature. I see a blurring of the lines between network and host security. NAC is a good example and to a lesser extent SIEM technologies. It definitely doesn’t feel like 1998 to me. RFP proved that most IDS of the day could be evaded but a lot has changed since then. If you have a commercial IDS / IPS that gets tripped up by tools like Whisker on a regular basis….you have issues my friend. Detection and prevention technologies have advanced in an attempt to meet the challenges. Are they perfect? No. Will the best IPS on the market have both false positives and negatives? Yes. When I start seeing many new versions of libwhisker like tools and more ground breaking papers like Ptacek-Newsham’s, then I will be more concerned. It’s about defense in depth in my book and network security is a large part of that. That is until developers start writing perfect code, administrators stop making configuration mistakes and users stop being….well…users.

This quote makes me think it has been a while since he had much interaction with commercial IPS products.

“Detection will always be a part of prevention, but regex just isn’t cutting it when you are talking about states that go well beyond the state of a packet or even a TCP/IP session.”

Even open source Snort can handle stateful re-assembly with it’s Stream preprocessors. Some commercial vendors claim to be able to handle over 150,000 sessions at once.

It’s an interesting point of view.

–Chris

Technorati Tags: IDS, IPS, Snort, Ha.ckers.org, evasion

“When I go out on the road to speak and address large audiences of folks who manage security, most relay the fact that most of them simply do not trust IPS devices with automated full blocking turned on. Why? Because they lack context.“

Yes!!! Thank You!!! I don’t see this changing as IPS becomes more commoditized, i.e. embedded in switches, UTM’s, etc.

“While integrated VA/VM and passive/active scanning adds to the data collected, is that really actionable intelligence? Can these devices really make reasonable judgements as to the righteousness of the data they see?”

I do not think adding vulnerability or scan data gives you actionable intelligence. I do think that if used properly that data can reduce your false positives thus allowing you to concentrate the alerts that are valid potential threats. Chris goes on to say:

“Telling me about flows across my network IS, I admit, mildly interesting, but without the fast-packet cracking capabilities to send flow data *including* content, it’s not very worthwhile..”

While I will say flow data is more than mildly interesting, this is true context and you will not get it with sFlow / NetFlow without overloading the switch / router. An inline IPS at the gateway or the firewall itself are in good vantage points to collect this information…and it shouldn’t overload them. Let’s say my IPS blocks a packet from 1.2.3.4 because of multiple failed POP3 logins. By itself it will probably not draw a lot of attention. It happens…people forget their email password. Maybe the signature is too tight and has known false positive issues so it gets ignored. In a system that provides true context you would be able to instantly look at all of the other traffic from / to that IP address. So now you see that over the past 2 weeks this same IP has sent syn packets to all of your ports below 1024, has tried to connect to your SSH port on the border router (which you forgot to filter) over 100 times and has a ton of dropped invalid packets to your IPSec VPN.

I would say that makes for actionable intelligence, but at a price. Think about the size / speed of the database that would be required to store that much packet / flow information for a reasonable amount of time. Add to that the ability to run queries on specific IP’s while still maintaining a solid insertion rate. That’s a lot of juice unless you have a spare Oracle cluster around somewhere During my tenure as CTO at NitroSecurity I often heard this referred to as “Data Wall”. The main reason I went to work for them was their approach is centered on the handling of security data.

It’s great to see someone else verbalize the need for context with respect to security alerts.

–Chris

Technorati Tags: IPS, IDS, UTM, Security, Vulnerability, Intrusion