OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: False Sense of Security?
From: Joe Shaw (jshawINSYNC.NET)
Date: Thu Nov 16 2000 - 13:36:50 CST

On Thu, 16 Nov 2000, Jacob Martinson wrote:

> What is the real purpose in detecting exploit attempts? If you have a rule
> (say in snort or nfr) to identify a certain exploit and you are concerned
> about someone running it on you, why wouldnt you just fix the vulnerability?
> There will always be a gap in time between an exploit being published and a
> fix being provided (and applied), but my impression is that most people
> arent this aggressive anyway.

Sometimes, it's not that easy, which is sad. Ever run a 10,000 node
enterprise network? Even if it's a homogenous network, that's still
10,000 nodes to patch for a bug, and if it's heterogenous, then it's some
mixture of a couple thousand WinNT, a couple thousand Solaris, and a
couple thousand BSD/AIX/Linux/whatever else. In an instance like that,
where it may be hard to keep track of what you're running and how it's
patched, having IDS may be a benefit if you can correlate what's being run
against you and what you're vulnerable against. Someone running IIS
exploints against an apache server are an example, and yes it does happen.

> Why would you care about a three month old exploit being run against you if
> your systems are up to date? If you believe your network has machines that
> are vulnerable, why would you leave it in a state where any available IDS
> signatures would affect you?

Well, there are really two types of Network IDS philosophies. One is
what's commonly referred to as Attack Detection. It doesn't matter what
it is or what it's being run against, you just want to know what people
are trying against your network, or even if crackers are trying anything
at all. Attack Detection generally places IDS as close to the perimeter
of your network as possble, generally in front of the firewall. This is
kept more for pretty graphs and pie charts so you can show management that
all that money they spent on IDS and other security software/services is
actually worth something, because in the business world there's no real
way to attach a tangible ROI to security. You don't really react to this
data as much as you do Intrusion Detection data because you'd spending
all day dealing with these alerts, and in a perfect world you've patched
all your machines for them and the firewall blocks most of the traffic
anyway.

Then there's Intrusion Detection. This is where you detect a compromise
as soon as it happens, and when it does, it's too late to really do
anything about it except monitor. This is generally just behind the
firewall. This is data you generally take very seriously.

Both of these also help detect inside employees monkeying around with your
network or outside networks.

> It seems to me that (unless you have the resources to devote one or two
> people to running a nids fulltime) time and money would be better spent
> securing systems and that a network based IDS would be interesting and fun
> but not necessarily as cost-effective as other things. This really only
> applies to detecting exploit attempts I think. I can definitely see the
> value in discovering active use of backdoors and otherwise suspicious
> traffic with a nids or some kind of protocol analyzer.

This is what the IDS console and a pager is for. And now, with more
intelligent security consoles being offered by Intrusion.com and
E-Security Inc., you can have them intelligently correlate data from your
firewalls, NIDS, HIDS, Tripwire, etc to get a fairly comprehensive idea as
to what's going on in your network. You still have to worry about false
positives, but a lot of errors can be dealt with by removing rulesets you
don't need as time goes by. 

--
Joseph W. Shaw
Sr. Network Security Specialist for Big Company not to be named because I
don't speak for them here.  I have public opinions, and they don't.