Saturday, April 19, 2003

Beware of strangers bearing opinions

Yeah, that applies to me, too. Take what you read with a grain of salt. A lot of it can be opinion.

In an article entitled " Intruder Alerts: Detection or Protection", a "panel of analysts" said that "Intrusion detection systems are dead". Can this be the same panel of experts that said Linux/Windows/Disco balls/roller skating is dead?

I think the quote from Vic Wheatman of the Gartner Group gives a good hint: "People bought it, installed it and turned it down when they had too many alerts."

What can you get from reading between the lines? People bought what they'd thought was a black box cure-all, plugged it in, turned it on and refused to face the fact that IDS requires reconfiguring every time your network config changes.

Intrusion detection systems have their place and funtion in any network. You just have to remember that they have their own shortcomings (and configure around those):

  1. You should install them to watch for attacks on known services on specific boxes. They are of little value in front of high-traffic firewalls as they tend to drop packets when extremely loaded. Also, you can get most of that logging at the firewall.
  2. Commercial IDS's normally come with a ruleset with around 200 entries. When choosing an IDS, be sure you can add your own rules!
  3. They have blind spots. (i.e., they watch for attacks on known services.) They don't watch for the non-standard ports/protocols. Again, make sure you can add your own rules.
  4. Fragmented packets often pass an IDS undetected. To prevent this, have the upstream and downstream routers reassemble or block fragmented packets.
  5. For them to function properly, you need a trained operator. Either train one in-house or hire one.

IDS are intended to be part of Defense in depth. Hackneyed as that buzz-phrase has become, there's still truth in it. Use multiple layers of protections (filtering routers, firewalls, DMZ's, etc.). Use differing operating systems and vendors in multiple layers (only the more talented hackers will be able to get through multiple layers)(and the majority of your problems are the script kiddies after low-hanging fruit).

In addition to all that, remember: "It's not if but when."

Oh! And there's still a market for disco balls (Ask Saddam. It's said that his love nest was straight out of the 70's.) and roller skates (visit Europe or the People Republic of California!).

No comments:

Post a Comment