In recent months, intrusion-detection and -prevention systems have made significant strides in helping organizations defend against cyberthreats, exploits and malware. Joel Snyder, senior partner with Opus One, recently joined us for a webcast where he surveyed the landscape of new technologies and best practices for increasing the intelligence of an organization's overall intrusion defense. Here is a small sample of questions that Joel addressed during the webcast,
Even with target-based IDS, isn't there a large component missing from most IDS solutions because there isn't a comprehensive log of all network activity? Without a tool that does this, how do you investigate incidents?
I think that log tools are useful, but largely impractical for all but the most trivial networks. We have learned to live without them.
How do you like Network Associates' Intrushield IPS? It seems like a good all-in-one system.
Network Associates does not participate in the reviews I have done on IDS, so I have not had a chance to properly evaluate their product. I am generally wary of products that are afraid to be compared head-to-head with the industry leaders. NAI dropped out of three consecutive reviews, so I don't think it is just coincidence.
In your example of the Blaster TFTP server slipping by ISS, was the event of the actual infection caught and correlated to the fact that the patches were missing? If not, how come?
Yes, it was caught, but ISS was unable to sort that out from a bunch of other attacks that were not an issue. Because of the noise level, ISS effectively "missed" the attack. You might be able to dig it out of the forensics, but that's not useful in this case.
Is there a good guide for developing a security policy?
I always tell people to start with Charles Cresson Wood's books on information security policy development. He has been doing it for over a decade and has a lot of good advice from the trenches. His books are a little expensive, but they pay off very, very quickly. I have not found a good Internet resource on security policy development.
What IDS would you recommend for Windows networks?
The same as any network. Windows is obviously a bigger deal than an all-Unix network, but the rules are the same. My current feeling is that ISS leads the pack in IDS technology. This doesn't mean that they are the best for everyone.
What kind of Linux software is available to build an IDS?
Snort is the best freeware IDS, although it requires a large number of add-ons to make it usable. Be prepared to spend a week or two building up a good one.
What are your thoughts on heuristic scanning?
I think that active scanning has a lot of issues, not all of which are independent of the choice of scanning method. Anything that causes scanning to crash fewer systems and return better data is a good thing. People need to work on this, and fortunately they are.
How does ACID with a Snort console fit into these commercial products?
I have had poor luck in making a usable IDS out of freeware components for any but the smallest of networks or the most specific of tasks. This might be my own shortcoming as a generalist, but I would think twice before going back down that path. The amount of work to make it "right" is often higher than the value.
How capable is Symantec Gateway Appliance with built-in IDS capability?
It's not bad. I have only had limited exposure to it, but it looked pretty nifty to me. Symantec is, slowly, getting its act together for more than desktop security. I'd short-list them if I were selecting a product. The issue I have with them is their proxy-based approach, and that's one that is very difficult to deal with in any environment. Performance is just a killer.
What are your thoughts on the standards work in this area for common event formats, policy?
Anything that increases interoperability of products is a good idea. I have seen very, very poor uptake by the security community of standards. Starting with SNMPv3 and moving on forward, all kinds of management standards have also been poorly received. So I would say that I support the concept, but doubt that we will get much help over the long term. What has succeeded better are vendor-specific APIs like OPSEC. I have stopped discarding these out-of-hand because they seem to be helping in this area. Still, I have no hope that there will be any solid development in security policy standards; the groups are just too clueless. Look at IPsec and see how far they are from reality, even after living with IKEv1 for almost a decade.
To learn about the evolution of "target-based" IDS, the use of OS fingerprinting and vulnerability scanning to increase defense intelligence and more, download the webcast or view Joel's presentation without streaming audio.
This was first published in February 2004