Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: IDS & Corp Auditing - dysfunctionality?

  1. #1

    IDS & Corp Auditing - dysfunctionality?

    And I wonder why I get migraines...

    Our area is starting to go through an internal IT audit. Ok - cool. We are running into a philosophical and soon to be, political matchoff between our areas and Corp Auditing. Why? Because we have host based IDS on our servers, we picked up on their scans, and now they want us to "lower our shields" so that they can come in and do their job... to do their job. Alright I am at a loss so I needs to tap the more experienced of us out there:

    So is auditing "correct" in telling us to disable our IDS on our servers so that can do their job?

    If so, why?

    Thanks in advance for your insights!

    \"Quis custodiet ipsos custodes?\"
    -Juvenal

  2. #2
    Senior Member
    Join Date
    Aug 2001
    Posts
    267
    I'm presuming you're systems are connected directly to the internet via a router (of sorts) and the auditors wish to enter from their site. I wouldn't lower my shields unless there were 2 tunneling routers in place (to accept their IP address). If they wished to audit you're site; then ask them to do it at you're site; rather than leaving yourself open to intrusion.

  3. #3
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    Well vescovono I agree with you, auditor asking to turn off your IDS is a bit weird.
    1 - Access from the internet to your system for auditing purpose should not occur, unless they want to test the strengh of your security level in order to improve it.

    2 - It could be acceptable if their flows are protected thanx to IPSec. But that's mean that you configured your PKI to accept their certificate.

    3- Your IDS isn't active, do you? If yes that's mean it behaves also like a firewall and they can't access to everything. If no, I'll be paranoid and let IDS running to keep a trace of what they're doing in case of legal disagreement.

    I feel that's the good palce to give my opinion about active IDS. The idea is great but the risk for false alarm and DoS is to take into consideration.
    The IDS is there to alert that something is going wrong, dynamic conter measure can be dangerous to the safety and the stability of your net.
    [shadow] SHARING KNOWLEDGE[/shadow]

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    So is auditing "correct" in telling us to disable our IDS on our servers so that can do their job?

    If so, why?

    Thanks in advance for your insights!
    Unless your IDS is active, for example, a detected event triggers a block rule in iptables or you are running something like Psionic PortSentry that will detect attacks/scans then initiate a block on the particular machine, I would strongly disagree with the request to lower your IDS protection.

    It would be a little more helpful if you mentioned whether your host based IDS was active or passive (something like logcheck, tripwire, etc) and perhaps even what IDS system you are using. Assuming it is passive, I couldn't think of any valid reason to turn it off and as such expose yourself to an increased danger. If it is active, maybe a compromise of just allowing their addresses in?

    I also want to throw something else out there...we were audited once and the auditors requested that kind of access. We granted it to them to so they could get a detailed answer, they then went back and reported they had 'total access' to all of our systems and that our security was crap (grrr...still trying to pull that knife out of our backs)...we now politely give the auditors the middle finger after requests like this, so keep that in mind.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Is this a Security audit… if so then absolutely not.... Is this a system and network audit , if so why are they not physically at your site doing this?

  6. #6
    Well - and no laughing - but we are using HP's IDS9000... for now! It is a host-based active IDS running on HPUX 11.X (e.g. 11.00 and 11.11).

    We too have also been affected by the knife in the ol' backside, so we are less than willing to open ourselves up again. I know, I know they are doing their job in making sure we keep up to standards, but I still yell 'foul' about this "lower your shields so we can fire upon you" mentality.

    This audit is an internal audit by our own company's audit department. Logic would dictate to cooperate as much as possible, but believe it or not -- politics have come into play about this because of what has happened in the past.

    Thanks again!

    And this is still how we feel about the audit:

    \"Quis custodiet ipsos custodes?\"
    -Juvenal

  7. #7
    Whoa. Guess HP is the red-head-stepchild-blacksheep of the *nixes. Well now that HP will support Linux, we'll probably go to that -- too bad it's about 5 years behind everyone else.

    Check this - HP is just now going to start using /etc/shadow! Ya - before we would have to 'trust' our systems for the added security. We just shake our heads and get the checkbook out to buy more servers.
    \"Quis custodiet ipsos custodes?\"
    -Juvenal

  8. #8
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Hey at least that puts you five years ahead of windows
    Hopefuly with IBM and HP and Orical backing Linux it can now catchup to the rest of the *nix world
    Who is more trustworthy then all of the gurus or Buddha’s?

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    From my POV:

    I would not turn off current protection. The less they can find out, the less they can report access to. If they can't get all the info they want, that means that you are doing your job.

    Their job is to prove that you are not doing you job... so they want you to turn off your protection to show that you are not doing what you are supposed to.

    If they are blocked... that means anyone else that any would be attacker would also be blocked. Just because they are using automated tools and can't figure out how to beat your protection... that is their fault. That is their job... beat your protection. They shouldn't be asking for your assistance...

    By not turning off your protection, it will just prove that you are doing your job and the auditor are just a waste of time and money. (But still necessary.)

    We had audits and we were also requested to ease up on our protection. We basically told them to stuff it. Do what they can with what they have. Then if there are weaknesses in our current protection... report that, and we'd take appropriate action. Needless to say... they didn't have much to report on... I don't think they've been back since.

    Since the .gov requires us to have external audits (due to services we offer)... we just choose a different firm everytime. The results are about the same. They get nothing. We give them a port to plug into and thats it. They are lucky we give them that. We give them no policies, usernames, etc. That is their job to figure out. Any would be attacker would also be starting from scratch. Our auditors are treated as attackers. You would not help an attacker... why help an auditor?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  10. #10
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    are you sure this isn't part of their test of your security systems? Something like a social engineering attempt to get in to your systems unmolested?

    Personally it would have to come down from one of the officers of the company, in writing, that we had to disable our IDS. I would also, at that point, go on record stating that it weakens your overall network security, and while the IDS systems are down that you risk information integrity because of your inability to monitor the datastream.

    that's just me, and I've been stabbed in the back a few times myself.

    Good luck and let us know what happens.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •