March 4th, 2003, 10:47 AM
IDS -- nonsense?
First people came with firewalls, after that firewalls were not enough and IDS became the trend and common sense. But ask yourself, since when does this all came up? Since more and more lousy sysadmins entered the IT field? Security trough obscurity seems to be a major trend? Or is this wrong?
What I'm saying is that a good admin can close almost all unnecessary ports / holes / ... in the systems / network he/she admins and protect other stuff with good firewalls. How many times do you check your logfiles? Firewall logs? Server logs? ... A human "intrusion detection system" rules. Therefor all those people bragging about their wonderfull firewalls and IDS's without taking care of the basic things ... argh...
I have seen so called 'system engineers' wanting the best of the best for their IDS, jumping on everything new the firm has or needs to implement without knowing or taking care of some elementary things. Like for instance a wrong configured server for their 'toys' that kept taking a static IP meant for the mail server, making that server go nuts (DoS) every once in a while and email do crazy things.
IDS is a good idea, but don't make it a meaningless 'hype' to follow.
March 4th, 2003, 10:53 AM
I have to agree with you, VK, about the importance of the human IDs but at the same time there is an issue of time sometimes, especially when there is no security team and just a harried administrator. With the "intelligent" IDS it can pick up signatures we may not have been familar with. A good IDS should be a part of a whole security system, not the be-all-end-all. And it should be the "last line" as it were. The Alarm system.
Many people have guards and electronic fences and cameras and such. And still have alarm systems to protect whatever is valuable. If someone manages to get through all that and triggers the alarm, odds are more in your favour to respond sooner than later.
Just my thought about it.
March 4th, 2003, 10:58 AM
Yes, that's my point, some firms present IDS as the be-all-end-all solution, the after-firewall and admin erra or something. In my eyes it should be like you said 'inelligent' meaning it triggers when needed and point admins to things they wouldn't have found cause the intelligent IDS can recognize patterns much faster, and then we come at your point: time.
Originally posted here by MsMittens
A good IDS should be a part of a whole security system, not the be-all-end-all. And it should be the "last line" as it were. The Alarm system.
I agree completly MsM, I had only a 'IDS rant' feeling.
March 4th, 2003, 12:39 PM
relying on any one-thing to do all your work for you is foolish in it's self (esp. when it comes to computers, and more importantly security) I may be speaking out of line (as Iím still a newbie with only one BSD box under my sleeve) but even I know that there are many measures one must take to ensure the utmost security in his/her system... I'm obviously not going to get into any kind of detail, but even for me (and my lil' box) there are a number of precautions that one must take, I think Iím starting to repeat myself... As to the lazy admins, a lazy anybody will produce shoddy workmanship
yeah, I\'m gonna need that by friday...
March 4th, 2003, 12:43 PM
I am the second in charge of a 6000 node, 30 site, 100+ server network. I'm also the man for all things security related. I wish like hell I could do nothing but use firewalls, my life would be much easier. Unfortunately, with as many users as I have, using as many different applications- each with it's own requirements- I've had to open so many ports in the firewall, it's a wonder I even have them in place. In fact, on one of my edge routers, one that sits in front of my firewall, if you print the configuration out, it's fourteen pages long. Most of that is triple a and ACL's. You don't even want to know what the firewall configs look like. So I have to have IDS's deployed. There are too many ways to exploit us otherwise. I log all source and destination addresses at my firewalls, they go to a dedicated Linux box that runs a Perl script cron job to look for significant traffic, it then alerts me via E-mail should something fishy come up. I have Snort deployed all over the place. I use SnortSnarf to give me a nice web interface to analyize that traffic, which I do every morning. I have Storm Watch (host based IDS) running on a couple of critical servers that (unfortunately) have to have public addresses assigned to them. I use MRTG to see if I have unusal traffic patterns at times when the network shouldn't be used. I have Packetshaper by packeteer in place at every edge which I use as a redundant check to my firewall logs as well as using it for it's traffic priority functions. Finally, I have put Norton Corporate out so users can't cancel or fail to update their virus scans. It's been a lot of work, but when I came abord we were exploited all over the place. Root kits in critical servers, relaying porn, nimda and code red eating us alive, you name it. Finally though, I don't think we've seen a sucessful 'hack' in about six months.
/me knocks furiously on wood.
But you are right about vigilance with administration. I probably spend two hours a day going through all that data and making sure the hatches are buttoned up. There isn't any one solution. Defense in depth is the only way to mitigate risk.
March 4th, 2003, 03:45 PM
"I don't think we've seen a sucessful 'hack' in about six months."
Hmmm, wouldn't a successful 'hack' go unseen? I mean, a hack that is defeated at the firewall is just an attempt, a hack that is caught but IDS/logs and results in the hacker gettting caught, that is an unsuccessful hack, unless its purpose was to get caught... A successful hack would be marching in defeating both Firewall/IDS and covering tracks so that you couldn't tell the hack from normal use.
I tried looking for a post where someone said "Good security requires a philosophy," or some such thing like that. I think that their post basically summed it all up in a very few words.
Firewalls, IDS, patching, etc..., those are all elemements of good security, but they are no more security then bricks are a building. IDS tells you if someone got in, it tells you after the fact, which is important, as is thorough logging, firewalls stop people from waltzing in, but the problem with a good firewall is that trafic still has to go in and out, or else you might as well unplug your network. Security is what is called an emergent property, it isn't any of its parts, but once you put all the parts together, bingo.
The problem isn't just idots that dn't have anything running to protect there stuff, it is the people that think that what they have is the end-all be all.
When securing a personal computer you work in a completely different manner than if you are securing a server, or a machine on an internal corporate network, likewise with the difference between home networks, education networks, government networks, corporate... etc. Each situation requires a different set-up that takes into account the function of that which is being secured and then incorporates many different elements so that if a hacker should gain access they end up stumbling around in the dark and making a lot of noise.
Enough rambling I need to shower and get some coffee.
The owl of Minerva spreads its wings only with the falling of dusk. -Hegel