> -----Original Message----- > From: Matt Jonkman [mailto:[EMAIL PROTECTED] > Sent: Friday, October 14, 2005 6:46 AM > > On Thu, 2005-10-13 at 18:38 +0100, Omar A. Herrera wrote: > > But the big thing that all of these malwares have in common, and what > they have to do, is either send data they collect somewhere, or take > commands from somewhere. And to do this they have to talk to someone, > and that's where IDS can see them, and IPS can stop them. No matter what > new OS hook, or what they disable or defeat on the host, they still have > to get data through the network. > Mh, you certainly have a point here. An IDS/IPS should be able to pick up that traffic. Yet, the visibility problem I mentioned before is what makes me doubt that they are capable of identifying this traffic as malicious, all the time.
The problem is in essence: given a certain stream of bits flowing from inside the network to the Internet is the IDS/IPS always able to distinguish if the content is malicious in nature or not? My reasoning is this: If the stream by itself gives enough information, then yes (i.e. if the malware uses a proprietary protocol and/or fixed port that makes it uniquely identifiable). But, if there is not enough information to identify the content as malicious, then, even if the network based IDS/IPS can see it, there is simply not enough information to tag it as malicious. A simple http request for example: http://xxx.xxx.xxx.xxx/harmless.cgi?1111222233334444 going to port 80 to some server on the Internet. There you go, a credit card number being transmitted by some malware to the internet. Unless you already know that xxx.xxx.xxx.xxx is a malicious site beforehand, then there is simply no way for an IDS/IPS to distinguish this malicious traffic from legitimate traffic :-). However, hIDS/hIPS have more information at the host side. For example, they can identify the process starting that communication, and just by looking at a process whitelist, they can decide if the traffic is authorized or not, and take some action based on that fact (e.g. the white list contains only a pair of web browsers that are authorized to establish http traffic to port 80; nothing else is authorized to do this). This is the kind of information that you have with host based products which you don't with network based products. The host based product can even see everything that the network based product sees on the network (for that particular system only, of course), but the network based product can't see what is happening inside every system it is watching, and hence has less information (e.g. they can't guarantee that some particular http traffic for port 80 was indeed started by an authorized browser). > > On the other hand, you can detect and prevent this sort of stuff at the > host > > level (blocking hooking attempts for the keyboard, for example) and the > best > > part of it is that it doesn't matter if it is a completely new or custom > > made spyware, or trojan, or any other kind of malware where you can > install > > this capability. So, this clearly shows that the visibility (and > > consequently the identification) of these threats is much better at host > > level, and whether these controls have still flaws or not does not > affect > > their potential visibility of these threats, which in any case will be > much > > better than any network based security control. > > At many levels you can be effective at the host. But inevitably there > will be found a way to evade or disable these protections. Likely it'll > be defeated by researchers quickly, but it exists. We need layers of > security. Hence my comment about a system policing itself. You need > outside oversight of any system to ensure it's not compromised. > > I never implied that HIDS isn't useful or effective. But you can't put > your eggs into one basket, especially when that basket is expected to > police itself. Yes I agree, there are many ways to circumvent security at the host level. You can sort of piggy back making use of an authorized processes and applications for example or making use of extremely complex covert channels, but the visibility capabilities (from the point of view of events inside each critical system) remains the same for both hIDS/hIPS and nIDS/nIPS. > > That was my point as well. Layers. If you can afford hids on all > systems, and the load and such isn't an impact, and there is a hids for > every OS and server you run, then it's a great tool. But nearly any > network can afford IDS (snort is free), and with basic training can > implement an effective network-wide control. I do agree with you that layered security is always the best option, even if there is some redundancy in some of the activities performed by different kinds of products. Therefore, organizations going for strict security by installing hIDS/hIPS products on every critical server and workstation, also have good network defenses as well, which of course include nIDS and nIPS. > > It's the 80/20 rule. We now about the vast majority of spyware out there > (by distribution). Your odds of being hit by a totally unknown spyware > package, or a totally unknown worm are slim. And even if so it'll be > known within hours or days. So a tool that blocks known things IS > effective. :) That's not good enough for some type of organizations, including some government and financial institutions. They have to push closer towards 99% security. Also, you should check the trends regarding customized (or specially crafted) malware for targeted attacks. For the kind of organizations mentioned above this is extremely important. I don't believe that nIDS/nIPS vendors are able to release updates for their product's blacklists on time, because if they do, it most probably means that the organizations or individuals being targeted already were attacked by them, detected them, and reported them (and I doubt this last thing is done at all). You are not supposed to wait for vendor updates while using white lists in combination with hIDS/hIPS products because you need to create them yourself. It is a completely different approach that requires a lot of resources and time. But talking about organizations that need it, they will go for it surely. > > I don't really see myself screaming before the IDS console "Watch out, a > > spyware is coming through!, I'll get Spybot and I'll clean that machine > with > > really sensitive information. I just hope to react fast enough before > > something nasty happens". > > > > But how do you know what machine is compromised, and when? IDS will tell > you, or prevent it. Can you aford to have a tech at every pc in your > enterprise on a regular basis to make sure there's nothing there? For critical servers and workstations I can afford having host based protection with white lists (with all the resources that you require to maintain that infrastructure) and personnel to do periodic security checks on-site (also, I can afford having network based security controls but don't rely on them alone for this sort of things with malware). Life is not easy for me, but those are the requirements for the kind of organization I work for. See above why a network based IDS/IPS will have less chances of telling me which and when a machine was compromised using certain types of malware. :-) > It doesn't have to be installed on 10,000 machines in an enterprise, or > managed, or licenses purchased for them. Plus, there's more to the net > than workstations and spyware. IDS is a full range product for all > systems, apps, and OSs. That is a good value for the protection coverage you get I must agree. But again, it is not good enough for the protection level it can give, not for me at least (refer to the above explanations). >> There are also several discussions of why rules targeted at specific >> exploit code and shellcodes are not a good idea, even in Snort >> vulnerability-based signatures are preferred; I think I've even seen >> Martin Roesch state that. It is the same principle. > > Yes, thats true. And why there are signatures for specific exploits > initially upon discovery, then more research into the actual > vulnerability and signatures to detect any violation of norms. And if > you're quoting Marty to point out how useless IDS is, you're also going > down the wrong road. :) No. I never meant that IDS were useless. That's not what I'm saying or implying, but just to make sure this is perfectly clear I will rephrase it. What I mean is that nIDS is not better suited for certain security tasks that are better done with other security tools (and I believe that was also the point of Marty, as well as how to make a better use of nIDS). Network based IDS/IPS and host based IDS/IPS complement each other, they have some points where there is some redundancy but you can't replace one with the other. All I was trying to say is that for this particular task of detecting and stopping malware (which was why this thread started), a host based solution is more effective than a network based solution, and I assume that we are all on the same track. That's all. :-) Kind regards, Omar Herrera ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
