Hassan, You make some good points, but I'd like the opportunity to clear up a few things about my NADS:
>IMHO comparing pure play behavior detection to IPS is like comparing apples and oranges. I couldn't agree more. I spoke up because Stefano brought up the topic of anomaly detection. One thing that does bother me is how IPS has been painted as a "magic bullet" by vendors (and even the press). IPS works great at the perimeter or other "choke points" in the network. However, in speaking with customers, it is too costly to deploy in a scenario that can give you adequate network visibility or proper blocking capabilities inside your organization. It should remain a perimeter solution, placed in a strategic location to protect key assets (example would be a group of critical servers), or perhaps one day merged into your network infrastructure (perhaps the future as painted by Tippingpoint and 3com). >NADS appears to be more similar to the old sniffer technology with the added feature of /possibly/ giving better clues >as to the cause of the anomaly from a security perspective whereas the old Network General style explains from network >problem perspective. Yes. NADS gives much of the value of traditional network troubleshooting tools like Sniffer. But this is only a fraction of its capabilities. These systems can gain network info from taps, SPAN/mirror ports, NetFlow, or sFlow. The result of this hybrid approach is a much broader network visibility than traditional security devices such as IDS or IPS can provide (at least for the same costs). The reason you get more visibility with fewer boxes deployed is because these systems can leverage the flow information (NetFlow or sFlow info exported from your routers/switches). You essential turn all of your routers and switches into security probes so you don't have to deploy (purchase and maintain) a box everywhere you want coverage. Many folks don't even know what NetFlow or sFlow is or how it can be used to provide them much needed security information (and save them money). >Protocol anomaly at least looks more promising in the IPS space as the action capability is there. In my experience, it definitely takes time baselining... but once >baslined, it could be a valuable tool (again when the action component - read IPS - is added). Yes, baselining takes some time. So does tuning a signature-based product. We should all know by now that IPS is easy to deploy and tune cause they've ripped out all of the signatures and only block on the handful that they know they can block on accurately. Don't get me wrong. With that being said, I still see the value of using IPS to detect and block low hanging fruit. On the other hand, NADS can have full network visibility, understand what is normal activity for hosts, alarm the administrator, and even take blocking action on the administrator's behalf. How does it do this without being inline? It leverages the existing network infrastructure to block attacks...something that is being called "infrastructure IPS". This allows the NADS to find the piece of network infrastructure closest to the threat (router, switch, firewall, etc.) and take blocking action there in order to quarantine the attack. Your IPS can't do that! IDS/IPS can only detect and block once traffic passes the device (which works great at the perimeter). Since a NADS system has complete visibility, it can instruct your infrastructure to take blocking actions and stop internal threats more effectively. >That whole Gartner prophecy of "IDS is dead" was referring to the idea that detection by itself is just not enough. Maybe behavior detection (NADS) might be good for >forensics... but I'll take IPS wherever I can get it thank you. If one can't afford IPS... then I guess going the forensics only route is better than nothing. But even >then, pure-play behavior-based solutions leaves the gap of not detecting known bad stuff. As mentioned above, NADS can detect and block malicious activity. And yes, they provide a wealth of forensic information. Lancope provides the last 30 days. As far as detecting known bad stuff, I suggest a hybrid approach. IPS at the perimeter to catch low hanging fruit, IDS internally to detect known attacks, NADS to understand normal behavior and detect/block on threats. Your better NADS can correlate events from signature based IDS. This means that they can weed through the thousands of signature-based IDS events that might be occurring daily and cherry pick those that correlate to a behavioral change from a host. A great example of this would be saving the administrator the time of sorting through 1000 RPC buffer overflow alarms generated by his IDS because his servers were not vulnerable and experienced no behavioral change after the attack. However, the administrator would be presented the one RPC buffer overflow that correlated to a host that went outside of its normal behavior and started scanning other hosts, connected to a remote server on some random port, etc. >btw... even Lancope has signatures (however outdated they may be)... so even Lancope realizes the value of signatures in the security tool box. They aren't signatures, but yes, we do have behavioral algorithms that look for suspicious activity. And yes, some of these do not require a baseline to determine malicious behavior so in vague terms they could be considered somewhat like a signature. For example, I don't have to have a baseline of a host to know that aggressive scanning on port 445 is bad, port 80 traffic that is not valid http is bad, etc. Hope this clarifies my position a bit. Regards, Joe Joe Hamm, CISSP Senior Security Engineer Lancope, Inc. [EMAIL PROTECTED] 404.644.7227 (cell) 770.225.6509 (fax) Lancope - Security through Network Intelligence(tm) StealthWatch(tm) by Lancope, a next-generation network security solution, delivers behavior-based intrusion detection, policy enforcement and insightful network analysis. Visit www.lancope.com. -----Original Message----- From: Seek Knowledge [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 30, 2005 6:58 PM To: Joseph Hamm; Stefano Zanero; Daniel Cid; Focus-Ids Mailing List Subject: RE: IPS comparison IMHO comparing pure play havior detection to IPS is like comparing apples and oranges. NADS appears to be more similar to the old sniffer technology with the added feature of /possibly/ giving better clues as to the cause of the anomaly from a security perspective whereas the old Network General style explains from network problem perspective. Protocol anomaly at least looks more promising in the IPS space as the action capability is there. In my experience, it definitely takes time baselining... but once baslined, it could be a valuable tool (again when the action component - read IPS - is added). That whole Gartner prophecy of "IDS is dead" was referring to the idea that detection by itself is just not enough. Maybe behavior detection (NADS) might be good for forensics... but I'll take IPS wherever I can get it thank you. If one can't afford IPS... then I guess going the forensics only route is better than nothing. But even then, pure-play behavior-based solutions leaves the gap of not detecting known bad stuff. btw... even Lancope has signatures (however outdated they may be)... so even Lancope realizes the value of signatures in the security tool box. Regards, Hassan Karim, CISSP --- Joseph Hamm <[EMAIL PROTECTED]> wrote: > >Fact is, anomaly detection is so rare that it's > almost unexistant in > the commercial products, except for limited forms > >of "protocol anomaly detection" and for Arbor's > peakflow technology. > > Not true! The only reason this space hasn't gotten as much attention > over the last few years is cause everyone was busy buying signature > IDS and now IPS solutions. > > Pure Network Anomaly Detection players: > Arbor > Lancope > Mazu > Q1 Labs > (All of these have been around for several years despite the lack of > industry attention to this space. Am I missing any new ones?) > > Also, for a recent article on network anomaly detection systems > (NADS), check out this month's Information Security Magazine (cover > story). The NADS space (this is only the latest acronym used to > describe this group of products), is starting to get more attention > and press coverage. You will also find some articles that call these > products NBAD (Network Behavior Anomaly Detection) solutions. > > Many security companies can detect "anomalies" in some form. Almost > every security vendor has the word "anomaly" in their marketing > literature. You need to understand what they mean by an "anomaly" and > how they detect them. > > "protocol anomaly detection" and "network anomaly detection" are two > different things although detecting network anomalies can include > protocol anomalies as well. An IPS is a point solution, usually has > limited network visibility (unless you spend a fortune and deploy them > everywhere), and can only perform protocol anomaly detection (from > what I've seen). In order to have the best NADS, you need complete > network visibility and an understanding of what is "normal" > on your network. > > Rolling out NADS generally requires less appliances than IPS (read > less > cost) because one box can gather network info from multiple SPAN > ports, network taps, or get NetFlow/sFlow feeds from remote > routers/switches. > > Kind regards, > Joe > > Joe Hamm, CISSP > Senior Security Engineer > Lancope, Inc. > [EMAIL PROTECTED] > 404.644.7227 (cell) > 770.225.6509 (fax) > > Lancope - Security through Network Intelligence(tm) > StealthWatch(tm) by Lancope, a next-generation network security > solution, delivers behavior-based intrusion detection, policy > enforcement and insightful network analysis. Visit www.lancope.com. > > > -----Original Message----- > From: Stefano Zanero > [mailto:[EMAIL PROTECTED] > Sent: Monday, August 29, 2005 6:01 PM > To: Daniel Cid; Focus-Ids Mailing List > Subject: Re: IPS comparison > > Daniel Cid wrote: > > This "anomaly" detection will only detect 0-day > exploits for known > > vulnerabilities. > > A zero-day exploit is a curious marketing thing. You suddenly redefine > a difficult problem (catching zero-days) as a rather simpler problem > (create signatures that actually describe the vulnerability, which is > what any signature worth your licensing cost should do). > > So, presto!, you can rush up and put out some rather nice marketing > material on it. > > Fact is, anomaly detection is so rare that it's almost unexistant in > the commercial products, except for limited forms of "protocol anomaly > detection" and for Arbor's peakflow technology. > > Best, > Stefano Zanero > --------------------------- > Secure Network S.r.l. > www.securenetwork.it > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks from > CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks from > CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > Send instant messages to your online friends http://uk.messenger.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
