"Not everything that is
counted counts, and not everything that counts can be counted."
---
Albert Einstein
Nowadays, more and more network administrator introduce IDS or likewise system to their network to protect their network from being attacked, but the truth is, the IDS is not that reliable as we expected.
Most IDS systems are pattern based, requiring a large set (typically ~1500+) signatures to alert based on a specific combination of TCP flags in the header, or a set pattern in the payload. The accuracy of this approach depends, of course, on the skill of the administrator writing the signature, but in most cases this provides for very accurate detection of a specific attack, and will not catch new or modified attacks.
Because most NIDS systems operate in layer 2 (OSI), they simply feed raw traffic into a detection engine and rely on the pattern matching and/or statistical analysis to determine what is malicious. Packets are not processed by the host’s TCP/IP stack and upper layer applications – so the IDS analyzed traffic, the host would otherwise discard. This approach also has the disadvantage that packets can be intentionally crafted in such a way as to confuse pattern-matching IDS systems, while still being correctly assembled by the host TCP/IP stack to render the attack payload.
So IDS would possibly have a different views with the real end system which could be exploited by hack to fool the IDS system. There are two most prevalent techniques, Insertion and Evasion. Just like what those words literal meaning, the IDS could either see more words or less words than a real end system. They very well discussed, you could find more information here[1].
And we could find a real world example here[2]. You could easily figure out that, even for the most sophisticated IDS, it could do not detect all attacks. Because it could only read in a packet level, it could not replay the whole "stream", so it make any type of implementations inevitable to this flaw.
The discussions here are not aimed to shame any IDS implementations, the systems are still very good and they are also evolving too. We just want to emphasis that, IDS is not as its literally meaning, Intrusion Detection, it could do only part of it. In China, we have a saying like that, no one could do everything himself/herself, so we should think about other solutions for "stream" based and application based attack, fortunately, now, we have some solutions for that, OSSEC, a host based or a logs based analysis engine could help security admin to detect some attacks based on system or application logs. So all the application based attack could be well processed by OSSEC. But it is not the ending for our story, both OSSEC and other logs based analysis engine are pattern based too, which means that it could only reported problem which match a certain pattern, and if the pattern is not very well customized, it will generate a lot of false active reports.
So, manpower is still needed for now, we should always keep our eye on our systems, to keep the hackers away!
No comments:
Post a Comment