tag:blogger.com,1999:blog-4088979.post116200085385215098..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Response to Daily Dave ThreadRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-4088979.post-1162973353054568542006-11-08T03:09:00.000-05:002006-11-08T03:09:00.000-05:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1162861793974442972006-11-06T20:09:00.000-05:002006-11-06T20:09:00.000-05:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1162432564195578762006-11-01T20:56:00.000-05:002006-11-01T20:56:00.000-05:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1162425090281442382006-11-01T18:51:00.000-05:002006-11-01T18:51:00.000-05:00I can confirm the 1:01AM Anonymous experience with...I can confirm the 1:01AM Anonymous experience with the usefulness of IDS/IPS here at an .edu.<BR/><BR/>We were an early adopter of IPS technology several years ago and it has both prevented and contained compromises countless numbers of times.<BR/><BR/>Its not perfect, nothing is. It can be bypassed as can most security measures. But it stops or contains a compromise here at least once a week and probably once a day.<BR/><BR/>We have had instances where dozens of computers would have been compromised in a short period of time had it not been for the IPS. We have had instances where dozens of computers were compromised and turned into BOTS but prevented from effectively communicating with their C&C nodes by the IPS and notifying us in the process.<BR/><BR/>Sure we look at screens. There is a lot of operational information there. While we're not looking at the screens, the IPS is preventing and/or limiting the scope of compromises. We are also e-mailed and paged when incidents happen. Find a BOT on the network, get an e-mail and quarantine it while the IPS keeps it from effectively communicating. Find a BOT C&C node on the network, get a page and take it down while the IPS keeps it from issuing commands to clients. See a site trying multiple SSH or FTP sessions across the network. Get an e-mail while the IPS wards it off.<BR/><BR/>Do some get by? Sure. But that is no reason to discount the value of the technology in our environment.<BR/><BR/>Can false positives be a problem? Sure. But minimally so with some educated work and disbelief in magic box marketing claims.<BR/><BR/>Its another defense in depth layer.<BR/><BR/>Would it be more secure if everyone that operated or administered a computer fully understood it and the internet, if everyone that wrote programs and web sites fully understood the implications of what they were doing, if all vendors produced defect free products, if everyone that made policy understood technology, if everyone obeyed policy, if every decision went through a formal risk analysis?<BR/><BR/>Sure, let me know when it happens. In the meantime, I've got a network to run and if an imperfect device will help me protect an imperfect network run by imperfect people using imperfect products over which people do imperfect things for an imperfect amount of time then so be it.<BR/><BR/>BTW, at least two IPS devices allow the importing of server private keys which allow them to inspect and manage SSL sessions.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1162308593739007332006-10-31T10:29:00.000-05:002006-10-31T10:29:00.000-05:00Richard, didn't you mention some network monitorin...Richard, didn't you mention some network monitoring and network forensic tool that supposedly keep statistical and meta-content, hashes etc. sometime back? (i couldn't find the post and the name escapes me.) a link to this tool will be appreciated.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1162257898945706902006-10-30T20:24:00.000-05:002006-10-30T20:24:00.000-05:00Anon made the day to day case very well.All I can ...Anon made the day to day case very well.<BR/><BR/>All I can add is that most of us on the defence side (if one can say that) are not protecting against the extremely knowledgable and dedicated attacker, most of us are primarily concerned with the more pedestrian threats.<BR/><BR/>Ptacek &co are deserving of respect for both their skill and professional behavior, but I cant say the same of alot of the other clever folks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1162242912964281132006-10-30T16:15:00.000-05:002006-10-30T16:15:00.000-05:00Anon, thank you for that post... Hopefully I can ...Anon, thank you for that post... Hopefully I can help get IDS/IPS implemented in key areas of our university network, and your posted examples are excellent firepower!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1162239942343203442006-10-30T15:25:00.000-05:002006-10-30T15:25:00.000-05:00Nice post, anon.Nice post, anon.Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1162188080308471332006-10-30T01:01:00.000-05:002006-10-30T01:01:00.000-05:00I work at a public institution in the USA. We have...I work at a public institution in the USA. We have a snort box on our edge, monitoring close to an OC-3 on an OpenBSD system with high-powered hardware. It can be labor intensive, but in an environment like this one where decentralization is rampant and people are constantly trying to cut corners, are spread too thin, and don't have enough staff or training to do the job properly - the IDS helps show us certain types of incidents that would be more difficult to determine otherwise. Sure, a bot infection spewing forth 10,000 packets is going to be obvious in firewall logs or netflow (and IDS in some cases). I hvae found the the sourcefire rules + bleeding edge threat rules, plus careful tuning has turned the IDS into an item of value on campus. My expectations of what IDS can do for us are realistic. We don't mention it to the admins, because we know that the "Oh, we've got a {firewall/IDS/IPS} now, we can wait to {patch/harden/securely configure} our systems" mentality would become further inflamed. In a well managed network, with proper controls over all hosts, adequate staff resources and adequate skillsets applied to every system, an IDS is going to perhaps more work than it's worth. However, I feel blind without the IDS. It's proven it's value to us, on numerous occasions. A bleeding edge threat rule to detect the passing of SSN's in clear text has been of great value to us in helping to find that type of policy violation. A firewall log won't tell you that and netflow won't tell you that. Ptacek and other high-end offensive computing types that have multi-processor assembler code wallpaper in every room of their house (or the malicious blackhat equivalent) and dream in hex aren't going to be stopped or even detected by an IDS (newsflash!!! IDS can be evaded LOL). But guess what? Joe Scriptkiddie DOES often get detected, at least until they are smart enough to start encrypting everything or evading. Steve the SDBOT will also often get detected due to the noise of the scans and the cleartext traffic to the command & control. There can be a certain arrogance in the offensive computing world. Some of those points are clearly valid - are there marketing machines at work, offering false promises? Sure, you bet. But show me other areas of computing that don't have the same problem. The recent signature for MS06-040 that sourcefire published has saved us the pain of further infection by helping us to find the problem quick - an array of ancient NT 4.0 boxes (considered a policy violation - no one is supposed to run that hunk of exploitable crap on our network!) that got 0wned by some sdbot variant. Getting them shut down quickly was the key to containing the mayhem that was caused. Without the IDS, it would have taken us longer to determine this. So to all the offensive computing types (selected individuals only) that think you are so cool because you can bash on I{D/P}S, don't forget about people out there in the trenches that maybe aren't as smart as you but have to face the implications of your "research" on a regular basis. What's abstracted for the "security researcher" is often a needle in the foot of the in-the-trenches network defender. Hell, the IDS at the .edu still picks up people trying old old bugs that are no longer cool for the trendy researchers, but guess what, those in the trenches that don't have control over their networks are still getting burned by both whitehat research and blackhat attacks on a regular basis. "Just get control over your network" - sounds great, but sometimes that's not possible. Higher education is a great example of where an IDS or IPS makes sense. Let's see one of these high-falutin' researchers get tasked with defending a /16 (or larger) network where central control is impossible. You'll no longer have time for developing a 16-way polymorphic multi-stage shellcode because you'll be drowning in real-world issues that jump right in your face and won't go away until you do something about them.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1162095862040268042006-10-29T00:24:00.000-04:002006-10-29T00:24:00.000-04:00Well spoken, sir.Well spoken, sir.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1162069907088296222006-10-28T17:11:00.000-04:002006-10-28T17:11:00.000-04:00Richard- i think the real question here is realist...Richard- i think the real question here is realistic expectations of what the technology can do and how we use it. Inflated expectations will always result in disappointment. I have written on this <A HREF="http://www.stillsecureafteralltheseyears.com/ashimmy/2006/10/the_peak_of_inf.html" REL="nofollow">here</A>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1162051232610802632006-10-28T12:00:00.000-04:002006-10-28T12:00:00.000-04:00Couple questions that will nag me if I don't ask. ...Couple questions that will nag me if I don't ask. :) <BR/><BR/>1) Does your opinion shift at all when talking IDS versus IPS? Or do you refer to both as IDS? <BR/><BR/>2) I tend to agree with you that security should be moving towards the switch. But I also feel that communications, especially ones that want to remain hidden, will continue to trend towards being encrypted and performed over otherwise expected ports like port 80. What can a switch offer to this other than src, dest, and protocol?Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1162010840001916892006-10-28T00:47:00.000-04:002006-10-28T00:47:00.000-04:00Richard, you are on the right track here. I've bee...Richard, you are on the right track here. I've been having conversations like this at work along the same lines. I *agree* that relying on an IDS and it's alerts is pointless. I disagree that an IDS is useless. Those that feel it is useless have not explored its full potential. Reading your books and your blogs, I have learned the importance of getting the session data and content data when possible. Together, these add up to a tremendous amount of intel on your network. By the way, I'm glad to hear you remind people that you don't *have* to capture full data if it's not cost effective. I have some IDS boxes that can capture EVERYTHING, and some IDS boxes that can only log session data due to high bandwidth. It's a hell of lot more useful than staring at a BASE webpage...<BR/><BR/>Also, regarding SSL encrypted sessions, I had an a idea. It's possible for a Bluecoat Web Proxy to do SSL interception. The proxy decrypts and hands off the clear text data to something like BlueCoat's ProxyAV (separate appliance) via ICAP to inspect. Why not setup an Snort/NSM box to inspect the payload? Can Snort speak ICAP? Don't think so. Perhaps a question for Marty and friends...Anonymousnoreply@blogger.com