[Discussion] Why IDS sucks
John Ives
jives at security.berkeley.edu
Fri Oct 17 00:42:30 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
While I can't really argue with the basics of anything you say here I am
going to put in my two cents anyway.
Andre Ludwig wrote:
> 1. Signature matching has its use but can not be an end all for
> detection of attacks. (easy to bypass, layer 7 hurts, encryption hurts
> matching, etc)
> a. Signatures infer that you know what the attack looks like,
> this doesnt help much
> b. Signatures can change over time, they require lots of
> administrative overhead and testing before, during, and even after use
Your right, however I will point out that 1a and 1b can be handled, to a
degree, by having signatures that don't look at specific attacks but
look at the vulnerability being attacked. If the problem is that
product A has a buffer overflow condition that and can only accepted 64
bytes of data before its buffer is filled, look for data at byte 65 to
detect the attack. Unfortunately, from the network, it can be hard to
tell if what was attacked was actually running that vulnerability
without a comprehensive vulnerability assessment program.
> 2. Performance and wire speed is always going to be an issue (as it is
> a safe assumption that it will continue to increase over time), this
> becomes a problem with inline (IPS).
This is true but in my ideal world the IDS infrastructure would be
clustered. We are actually using a product now that distributes traffic
by netblocks to lower the actual bandwidth each box sees to a manageable
level, effectively making a pseudo-cluster.
> 3. Inability of vendors/producers of IDS technology to keep ahead of
> the curve (be it signature awareness, or be it protocol parsers, etc)
Your probably preaching to the choir on this one, but, to be fair I
think security is one area where I doubt the good guys are ever going
win (at least not as long as we are so adamantly focused on defense).
The best we can hope for, baring some fundamental shift in the
landscape, is a tie. I say this not to be defeatist, but because
security is a zero sum game. The defenders only have to make one
mistake to loose, while the attackers only need to get it right once to
win. With that in mind, I would say the best hope we have is to start
playing more offense, but at this point I don't know best to accomplish
this without breaking laws, etc. But, I digress, because hearing my
somewhat depressing view of the state of security today is not why
everyone joined this list. Also, it doesn't do anything to move along a
conversation about IDS. :)
> 4. Anomaly detection based technologies can be effective but on their
> own they tend to be more of a burden then a help.
I've found that many times anomaly detection is best when used with
other detection mechanisms.
> And the single largest issue IMHO, is the lack of infrastructure to
> properly correlate and analyze data to produce actionable
> intelligence. This intelligence can then be piped to various types of
> "technical controls" to be used as part of the overall security
> architecture. Granted this isn't necessarily a weakness in IDS as much
> as it is a weakness in the approach the industry has taken.
Damn Straight! I wonder how many of us have had to write our own
scripts/programs to help us parse and use the data we get from all of
the security tools we run.
John
- --
- -------------------------------------------------------------------------
John Ives Phone (510) 642-7773
System & Network Security Cell (510) 229-8676
University of California, Berkeley
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJI9992AAoJEJkidK6qbywslbAH/0iFF3HuAx4q1QC/NBHl3MOP
E9UmTNxXhcA4rVyP7KRftCIWBzdpErmL0jpEaFgDReY4NoTmm2XjepvdWdePCZwx
tzrou71cWotXRz7B/GWYQavJDePlYj0d6Rd3NmKSbeWnLUIPOZFvWlppCMHV1M1C
vf0HP5PptCRBqtPeoLHO+wljxUYmwpA2IgGr4jmCL8hMRnOgdmhMh/dIWEnf+xQM
Nc8/I0F02viiFqv7uFQ8bdlCnO0HjbV7/aY5AKb/oCRvI00AUTQkBbPbG2h87te5
BCd0RhOSQ91nOcSHsWtnZ5wpOxMH/6VcRdQUiEXn1QjUQ7AaaLYApo4U9xy0oAk=
=8Jfd
-----END PGP SIGNATURE-----
More information about the Discussion
mailing list