[unisog] Gartner: IDS a Failure, Firewalls Recommended

Gary Flynn flynngn at jmu.edu
Thu Jun 12 20:35:20 GMT 2003

Douglas Brown wrote:
> According to Richard Stiennon, research vice president for Gartner (who 
> was formerly director of business development for Checkpoint): Intrusion 
> detection systems have failed to provide value relative to its cost and 
> will be obsolete by the year 2005...

Well, initial costs of a Snort installation are a port and some
commodity Intel hardware. So lets look at ongoing costs...

 From the article:

"According to Gartner, some of the problems with intrusion detection
  systems are false positives and negatives"

Solvable by tuning. The problem is that people expect the tools
to do what the marketing literature suggests they can do. :)
If configured to take advantage of their strengths and taking
into consideration their weaknesses, they are a useful albeit
limited tool. Just detecting outgoing .ida attempts provides us
instant notification of a campus system infected with Code
Red/Nimda. Can a firewall do that? Sure. But only because the
problem was so widespread that otherwise application ignorant
firewalls added the functionality almost like a signature. Other
rules are equally adept at detecting other shenanigans without
causing too many false positives. False negatives are only
pertinent if we believe marketing literature and think the
things are going to capture everything. Its like believing a
firewall is going to stop everything. Any detection is better
than none.

The market needs protection that is not available in current firewall
technology. IDS/IDP is the bleeding edge of firewall technology.
We pay for more detailed detection or protection with imperfect
results. They are the proving ground for higher layer rulesets.
Those that are accurate, will be moved into mainstream products.

  "an increased IT burden created by full-time monitoring"

Again, solvable by tuning. The tighter the configuration, the
less the overhead. A large portion of the reports generated by
default installations is crap. Admittedly, by highly restricting
the ruleset we miss a lot of potential attacks. However they
still make a nice tool for the attacks they accurately detect.

  "a taxing incident response process"

If its a real attack from the outside, yes its taxing and the
wisdom of responding to every one is dubious. The new IDP
functionality provides the ability to stop an attack rather than
just set off alarms which, to me, makes them immediately useful,
again with the rules that are accurate.

If its a real attack from the inside and they're taxing
the incident response process, something else needs fixing. :)

  "an inability to monitor traffic at transmission rates greater than
   600 megabits per second."

I don't expect to get a 600 Mb/sec Internet link any time soon. Shoot,
except for some trunks, everything on campus is 100Mb or less.

“Firewalls are the most-effective defense against cyberintruders
  on the network, and they are becoming increasingly better at
  blocking network-based attacks," said Stiennon. "To be considered
  as a challenger, visionary or leader, a vendor must have both
  network-level and application-level firewall capabilities in
  an integrated product. Vendors that have only one or the other
  will be niche players."

Hmmm. Did you say was he was the former business director
of Checkpoint? :)

Checkpoint is adding higher layer intelligence and IDP-like
functionality. If the firewall vendors add this intelligence
then it won't have to be in a separate box. We'll have a
box with application intelligence and (ugh) signatures that
can stop a higher level attack. Its evolution. I don't care
if they call it an IDP, firewall, content filter, or whatever.
If we are lucky, needing a separate box called an IDS may
indeed be obsolete by 2005. The functionality will be included
in a more universal box. The market will probably tend to favor
firewall vendors adding IDP functionality rather than IDP vendors
adding firewall functionality but who knows. We have router
vendors adding firewall and IDS functionality to switches. :)

As things sit now, I find the IDP devices much more attractive
than firewalls. We, as do most universities, have an open network.
Utilizing firewalls to control access or protect services generally
requires restricting communications at the port level unless they
have proxies for the service you are trying to protect. While they
may have some anomaly detection, to my knowledge attack signatures
are rare. An IDP can allow a network to open a service and block
recognized malicious access attempts. Is it foolproof? Of course not.
But neither is a firewall that inspects the traffic but allows it to
pass. Either is only as good as the ruleset.

One of the things that I like about having Snort boxes installed
is that when a new Internet Explorer defect is announced, I can
install a ruleset that look for exploit attempts. Try that on a
PIX. If it was an inline IDP box (hogwash or one of the commercial
products), and the exploit pattern is sufficiently unique that an
accurate rule can be written, it would be possible to block such
an exploit until systems get patched.

I'm not sure about the etiquette of quoting from different
public lists but since a Google search found the quote
I'll pass on an exchange I had with Marcus Ranum on the
firewalls-wizards mailing list. His response makes me smile
every time I read it:

 >>I'd consider an intrusion prevention system to be one as smart as an IDS
 >>with the capability to block associated traffic like a firewall.

 >Exactly. Which is what I meant when I referred to them as
 >firewalls and antivirus with a fresh coat of paint. :) I could
 >have said "firewalls that don't suck" but that would have
 >seemed a bit negative. :)

Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.

More information about the unisog mailing list