This is my point exactly. I don't allow my IDS to respond to attacks for the very reason you stated. It could easily force a DoS. I think a lot of people don't take this into consideration. The vendors push automatic response as a sexy feature when it really could be a major nuisance. Let each piece of the puzzle do what it was designed for, no crossover. The "D" in IDS stands for detection, I didn't install and IDRS. *The "R" is for response if anyone missed that.
I try to use the most cost effective measures in a layered approach to security. Anyone who throws up a firewall and thinks they are secure is usually in for a big surprise. The most cost effective and easy approach to security is just to keep your systems patched! This is simple and would probably fight off 98% of all problems. The SQL Slammer worm is a perfect example. The patch was available months ago! Security is a VERY dynamic process. I use and IDS to help identify problem IPs, what type of attacks do I need to make sure I protected against, and auditing. The problem with an IDS is it can only identify attacks in progress on the wire. An IDS does NOT acknowledge if attacks were successful. This is where the layered approach comes in and the most important piece of the whole puzzle is so basic.... a clearly defined corporate security policy with teeth. How many individuals realize 80% of all attacks and problems are not from external threats but from employees? I take security very seriously. I worked for a company once who was about to throw up an E-commerce site that generated $1.5M the first year behind a Microsoft Proxy Server. I had to scream, complain, and scare the hell out of the executives before the coughed up the bucks for an adequate security implementation. An IDS is a tool, a mere piece of the security pie. NEVER put all of your security eggs into one basket or there sure to get cracked. That's pretty catchy. I need to remember that one. -----Original Message----- From: Carroll Kong [mailto:[EMAIL PROTECTED] Sent: Saturday, February 22, 2003 8:35 AM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461]-Automated IDS [7:63557] I cut out some of the other messages to concentrate on one issue, automated IDS responses. If your automated IDS responses result in a "automated" packet filter of any sort, I think you are doing yourself a disservice. You might stop some kiddies, but you are just leaving yourself wide open to professionals who can DoS you very easily. I suppose if everyone just started filtering at the edge to help prevent spoofing, but alas, that is not the reality of today's networks. It should be trivial for the attacker to DoS your systems beyond compare. For example, what if he spoofs a trusted host? Now your trusted host cannot have access anymore. Ok, so what if you have exceptions for the trusted host? Now he has a host worth spoofing for, DoS trusted host, assume trusted host's identity. Easier said than done and you can mitigate the risk with stuff like mac address port locking, anti-spoofing acls, but just to give you some ideas that automated IDS responses can be particularly dangerous. Not even factoring the possibility you can lose accessibility to many systems, but most firewall products have some pitiful limitations (one can easily blow out any stateful firewall), and you can be assured your acls will grow to be so big your firewall just might keel over. I hope you got default-closed systems. ;) But I suppose it won't matter at that point, your network will be down, or your IDS might be filled with so much "garbage" that you might not see the real attack come through for your "forensics" team to discover which hosts have been compromised. > Come on now, the slammer worm? If you are security conscious this > shouldn't have had any effect on you. Microsoft released a patch last > summer. Security is a best effort solution. It is about layers and > maintenance. You cannot eliminate risk, you can only reduce risk. > > An IDSs responsibility is to pick up attacks on the wire, not prevent > them. I personally don't believe in allowing my IDS to respond to an > attack. > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Albert Lu > Sent: Friday, February 21, 2003 9:19 AM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > Hi Troy, > > Must be some secure site, reason I was interested is that I had a > discussion > with someone else before in regards to multi-vendor IDS solutions and > how > effective they might be. > > So if you mostly rely on manual action, and an attack came in after > hours, > how quickly can you respond to your alerts? Since for some attacks, a > half > hour response time could cause your site to be down (eg. slammer virus). > If > that was the case, even if you had all the vendor's IDS, it will be > useless. > > Albert > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, February 21, 2003 10:57 PM > To: [EMAIL PROTECTED] > Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] > > > As with most things, you need to way up costs againts your requirements. > IN > our case, security is absolutely essential, so having a multivendor > security > solutions (and indeed fully redundant) is costly, but we see it as > justified. > > With regards to action during attacks etc. We mostly rely on manual > actions > as we dont want to inadvertently block legitimate traffic (for example > if an > attack came from a spoofed IP). For automatic action, you can make use > of > Ciso Policy manage, which has the ability to dynamically rewrite ACL's, > on > Pix's, Routers, and indeed Cat's. according to data from IDS. So for > example, if you where really paraniod (like we are),. you could have > pix's > as the first firewall, with IDS on the inside / dmz etc (using IDSM or > standalone IDS), tie these together with Policy manager .. then taking a > further step into your network, a set of Nokia Fw1 NG, along with > further > Nokia IDS solutions on the inside, and tied together using the > enterprisef > software! > > > -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63560&t=63560 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]