From: "Kendrick, Don"

> Are we forgetting one of the main reasons I believe IDS are valuable (or
> was this point made earlier in the thread I and didn't catch it)? Being
> an old timer, "Defense in Depth" easily comes to mind. Your firewall is
> a device on the network right? As such, heaven forbid, it might get
> hacked. What will give you a clue if it does?

"Visibility" is a necessity, however you get there. Paul's argument appears to be that if you build your network right you won't have intrusions. In some cases I could believe that could be implemented, but even there it would be desirable to be able to satisfy yourself that it is true by monitoring the network, anyway. I've been dabbling with control systems networks (mean security state: abysmal) where it is traditional to say "we don't allow anything or connect to anything, therefore it is secure." But no-one is looking to see what is actually going on or has gone on, so it's more an article of faith than reality. It strikes me as irresponsible not to have full knowledge of every flipping bit that sparks across a fiber when that bit is involved in critical infrastructure issues, and there are ways to deal with it, so I'm making it a pet project to prove that point.

> Maybe an IDS that is specifically tuned to alert on traffic that should
> never happen? Borrowing from another current thread, let's say hopefully
> that you do not allow X-windows traffic in from the outside. Of course
> your firewall would block it and log it, but wouldn't it be nice to know
> if the firewall ever responded to a SYN with and SYN-ACK?

"IDS" in the way we use the term is a tool to provide particularly deep visibility in a specific spot on the network. "IPS" in the way (at least the press) has used the term is a spot on the network with some deep visibility, some basic decision making capability and some auto-reconfiguration (or auto-misconfiguration) ability. Let's look at it another way.

Intrusion Detection Systems are Solutions which detect intrusions (oddly enough). If you are going to build network security operations around a monitoring structure, you will want rich information from connectivity points (fws, switches, routers) as a baseline for Detecting Intrusions by providing a model of connections as they occur across the network. Now you can see basic patterns of traffic that are common to attacks (sweep, followed by swept-host-be-actin'-funny). You may find it useful to have more detailed information about that exchange such as a packet-cracker on the wire by the ingress router that could let you discern slightly more evolved behavior (sweep, followed by Win2K buffer overflow, followed by host-be-actin'-funny). While you're at it, you may want to pull in application logs (who last touched that file/record? What'd they do with it? Who said they could?). All of this is an Intrusion Detecion System.

The ubiqitous phenomenon I saw with MARS customers was that they quickly turned up telemetry traffic (lots of NetFlow, a bit of syslog 7 on PIXen and deploy more xIDS). It's not a matter of whether it is worth having packet-crackers, it's just whether it is worth the effort to consume their output. I hate sounding like I'm advocating anyone's products in this forum (not that my mesages are making the list - remind me what we gain by blocking html?), but Partha and team proved that there is a way to use all that output without killing yourself and others will follow suit.

The whole "IDS" argument is boring, but it's an indication of the crux we are at with evolving all this stuff. "IPS" just pisses me off, but by its own ridiculousness it's the best example of the state we are at.

> I agree we don't need the IDS to tell us what we should already know
> from the firewall. And we might not need to know about the newest worm
> signature from an IDS. But I would sure be interested if I saw responses
> to any of these "bad" things or these "bad" things outbound. Goes back
> to "know your traffic." It's tough but it's the only way.

If it's too tough to do it won't be widespread, so by nature it wouldn't interest me. I believe it is very simple these days to know your traffic pretty darn well (lots of decent "historicals" solutions) and that this trend will accelerate and become more simple and more common very quickly.

> Someone a long time ago said think of a firewall as the perimeter alarm
> and locks, think of IDS as motion detector. I think that is still valid.

I can't escape the military analogy: fw, ids, av, et al - these are the assets our military owns (tanks, jets, wiretaps, ...). Hosts and Apps are the civilian soft targets that we can monitor (to an extent) but not manage. What we are lacking is Command and Control - a whacking great 767 packed with radar and computers and satellite uplinks and enough expertise to sink a trawler, orbiting over the battlefield helping us determine which is our ass and which is our handbag. Without that eye in the sky and all it represents, we're howling barbarians throwing water on flaming thatch-roofed huts.


firewall-wizards mailing list