[Dshield] Signature-based IDS appliances - the issues

HenryHertzHobbit hhhobbit at comcast.net
Wed Jan 19 06:02:03 GMT 2005

Pete Cap wrote:
> List,
> I wanted to generate some discussion on the following topic.
> I imagine most of us are using some kind of commercial IDS solution,
> or else some kind of homegrown  solution featuring snort.
> First off, what do you believe are the strengths and weaknesses in
> the IDS solution you're using?

I don't use one, but that is because I watch the logs myself.  That
solution will not scale very well.

> ...I'm aware that most of us probably aren't going to be using the
> solution we want since management and security/IT often don't see
> eye-to-eye. ...For this first question, if you want to include any
> anecdotes about the support, etc. you get from a commercial vendor,
> please feel free but keep it in the boundaries of language acceptable
> to this list :)
> Second, if you are using a homegrown solution, why (if it's money,
> feel free to detail the justifications)?  

It certainly is a money problem, but there is more to it than that.
I have had a philosophy of never giving more rope than is absolutely
necessary to get things done.  This of course has got me into trouble
in the past and will in the future. You haven't noticed an overwhelming
demand for security people in IT have you?  I haven't seen much demand
at all.  Even other IT staff don't like the security conscious people
and frequently fight at cross purposes.  I know more than one networking
person who thinks al that is needed in a medium size corporation (~5000
end user workstations) is an edge firewall.  I even know schools that
are still allowing telnet and ftp.

> Third, what difficulties *in general* do you experience using an IDS?
> How does it help you do your job?  What features would you look for in
> a perfect world?

I think an IDS system has multiple failings, not the least of which
is that it is the anomalies that whack you up side the head when you
least expect it.  IPS systems can be better, but an important
component of any of these systems are the people that are looking
at, and monitoring them.  Do NOT overlook how important people are,
especially if it is something strange and unusual.

> Fourth & finally, one of my coworkers has just made me aware of some
> of the newer features of snort inline, which approximate some features
> of the newer IPSs I saw in '04.  Do you think it's possible to completely
> replicate, using refurbished hardware and open-source software, the
> features and abilities of big-vendor IDS solutions?  For example, could
> you get as much utility out of a used Poweredge (eBay, $500-$1000)
> running  Linux and snort as you could out of a commercial solution?

Please don't push Linux to do too much.  A much better solution for
the OS portion would be OpenBSD.  Linux works just fine on the desktop
(what I am writing this message from), as a web server running Apache,
as the OpenLDAP server and a variety of other uses.  It is NOT a good
choice for this application.  If you have the time (notice I said
***IF*** you have the time), YES, you can do almost as good a job as
the big vendor IDS solutions.  Actually, if you use OpenBSD with Snort
AND the PF firewall working as a transparent firewall, you have a dandy
box that is functioning as an IPS system.  If you are extremely
talented, it may even be working better than what they provide, and
before you know it, YOU will be selling an IPS system.  You will also
have the same problem they are having which is SELLING them.  Here are
some URLs on it:


Just key in "OpenBSD transparent firewall" (without the quotes)
at Google and do some preliminary learning.

What are the disadvantages?  If you don't know BSD you face a
little learning.  That isn't the bad part.  The learning
curve for most of you will be the PF firewall (I assume most will
know Snort fairly well), and putting all of this together for the
first time.  I assume most of you are quite intelligent (so far you
haven't disappointed me), and given enough time will be able to do
it.  Just be aware that doing something the first time ALWAYS takes
you at least three times more time than subsequent repeats of doing
the same thing again.  Frequently it is even 10...20 times more time
for the first go around.  What you are buying with a commercial
solution from the vendors is that learning curve, and their subsequent
refinements or even revamping of the original.  EVERYBODY has too much
to do, and time wise it may be better to buy those big name vendors

What are the advantages?  After you have done it, if something
irritates you, unlike a commercial vendor (no, I am not going
there), you can fix it because YOU created it!  It isn't the
hardware that you are buying with the commercial solution though.
It is the TIME the vendors put into polishing their product, and
refining their solution.  THEIR hardware isn't significantly better
than what you can get.  The one thing I am always AMAZED to see people
reaching for in the reliability equation is RAID.  I am not going to
denigrate it, but DO NOT FORGET A NICE BIG UPS!  Also, since you
are buying the hardware yourself, DOUBLE UP.  The hardware part of
the equation is cheap.  Make a clone and sit it there so that it is
either cold swappable (you have to boot the clone - OpenBSD boots even
faster than Linux), or hot swappable (the clone is running but not in
line). I don't think you would want two of them in parallel (how do
you handle the logs?).

Where is my penny?

Henry Hertz Hobbit

PS  When I say transparent, it is NOT transparent at the MAC layer
unless you also buy stealth NICs.

More information about the list mailing list