Tuesday, October 31, 2006

On Intrusion Detection

OK, OK, stop the squealing already :-) I WILL blog about this whole NIDS/NIPS hoopla  (or broo-ha-ha?) started by this exciting (as it often is) dailydave thread.

First, a quick question: do you have 0wned boxes on your network? Puleeease don't say 'no' cause I'd know that you would be lying :-) Now that you accepted that fact that some boxes on your network are 0wned by intruders, do you want to detect it? Yeah? If so, you need intrusion detection. Notice I didn't say IDS or NIDS, I am just saying that it is pretty darn obvious that people need to detect intrusions somehow and thus they need something that does "intrusion detection."

Similarly, it'd be nice (but completely unrealistic ... ) that such intrusions would be prevented from occuring in the first place. If you want to try to attempt to take a crack at that :-), you'd wish you had intrusion prevention, which is obviously a good idea, in principle.

Thus, if somebody tell you that you "do not need to detect intrusions", he is quite likely an idiot.

However, what the above paragraphs has to do with lil black boxes called NIPSes and NIDSes? Absolutely nothing, it pains me to say so. And that is where the "offensive computing experts" (thanks for the offensive term, Richard! :-() are at least partially correct in stating that IDS does not really give you a much needed ability to detect intrusions. Further, as Richard put it, at best it gives you a "hint that something bad might be happening." Thus, you can go buy a STGYAHTSBMHH and not an IDS. And there is always a classic IDS use case called "a system that you can go to after shit hits the fan to see if any pieces stuck to it" (ASTYCGTASHTFTSIAPSTI, yuck...) :-)

Most of the other points made in the ensuing mayhem - errr, discussion - are actually derivaties from the above. Yes, a signature-based "IDS" can sometimes detect intrusion attempts made with old exploits. Yes, anomaly detection works ... when it does. Etc, etc. However, the main point remains the same: you need intrusion detection, you just can't buy it in the store.

Technorati tags: , ,

Dr Anton Chuvakin