Tuesday, October 31, 2006

On Intrusion Detection

OK, OK, stop the squealing already :-) I WILL blog about this whole NIDS/NIPS hoopla  (or broo-ha-ha?) started by this exciting (as it often is) dailydave thread.

First, a quick question: do you have 0wned boxes on your network? Puleeease don't say 'no' cause I'd know that you would be lying :-) Now that you accepted that fact that some boxes on your network are 0wned by intruders, do you want to detect it? Yeah? If so, you need intrusion detection. Notice I didn't say IDS or NIDS, I am just saying that it is pretty darn obvious that people need to detect intrusions somehow and thus they need something that does "intrusion detection."

Similarly, it'd be nice (but completely unrealistic ... ) that such intrusions would be prevented from occuring in the first place. If you want to try to attempt to take a crack at that :-), you'd wish you had intrusion prevention, which is obviously a good idea, in principle.

Thus, if somebody tell you that you "do not need to detect intrusions", he is quite likely an idiot.

However, what the above paragraphs has to do with lil black boxes called NIPSes and NIDSes? Absolutely nothing, it pains me to say so. And that is where the "offensive computing experts" (thanks for the offensive term, Richard! :-() are at least partially correct in stating that IDS does not really give you a much needed ability to detect intrusions. Further, as Richard put it, at best it gives you a "hint that something bad might be happening." Thus, you can go buy a STGYAHTSBMHH and not an IDS. And there is always a classic IDS use case called "a system that you can go to after shit hits the fan to see if any pieces stuck to it" (ASTYCGTASHTFTSIAPSTI, yuck...) :-)

Most of the other points made in the ensuing mayhem - errr, discussion - are actually derivaties from the above. Yes, a signature-based "IDS" can sometimes detect intrusion attempts made with old exploits. Yes, anomaly detection works ... when it does. Etc, etc. However, the main point remains the same: you need intrusion detection, you just can't buy it in the store.

Technorati tags: , ,


Unknown said...

So..just out of curiosity, how should customers deploy intrusion detection in their environments? Obviously the various vendor solutions have many problems, but I think many of them can be traced to operational failures like lack of tuning experience. There are certainly alternative models like Bejtlich's NSM, but the average security analyst / engineer is not likely to have the experience to build a custom intrusion detection solution using 'nix, BSD, etc. Automated detection is prone to false positives and the associated pain of tuning the system, but surely they can be an effective time-saver if tuned correctly, no?
As far as the false sense of security that IDS/IPS engenders, the managed services are even worse - with no direct oversight, the security team and/or mgmt may not feel that they need to understand or monitor the network traffic. In any event, what do you think the viable alternatives are to the packaged IDS/IPS solutions?

Anton Chuvakin said...

"what do you think the viable alternatives are to the packaged IDS/IPS solutions?"

That is indeed a tough question with no easy answer. Yes, you might need to deploy an IDS/IPS box, but the important thing to note that it will only serve as PART of your intrusion detection. Maybe I was too extreme in saying that "IDS =/= intrusion detection."

The correct equation would be:

IDS < intrusion detection...

Dr Anton Chuvakin