Intrusion Detection recommendations

Fri Feb 13 21:42:38 UTC 2015

On Fri, 13 Feb 2015, Rafael Possamai wrote:

> What is the alternative then... Does he have the time to become a BSD guru
> and master ipfw and pf? Probably not feasible with all other job duties,
> unless he locks himself in his mom's basement for the next 5 years.
> 

The alternative is to understand what his network does,
what it was designed to do, and what he needs it to do. The
end solution (IPS, IDS, ASA, whatever you want to throw in)
should be just that, an END solution once he has taken the
time to assess risk. This is a concept many miss. As for
"testing" ...

So you own a house, you hire an assessor to analyze your
property, write a report for you on your vulnerabilities.
"You have 12 windows. OMFG Someone can break one of those
windows and steal your family jewels!" Vendor gets paid
and leaves you with a headache. 12 windows? So what...
Behind those windows are a rabid pitbull I never feed.
Wanna take a chance to break in?

Pentest... "So you own a house, same windows, now you're
paying someone to get in." Let me tell you how pentesting
fails. Pentesting fails because most companies get all
bent out of shapes based on Internet history of systems,
and applications crashing from a simple network scan.
Ask your next pentesting client (if this pentesting is
your primary function) to allow you to perform a no-holds
barred pentest including social engineering. You'll get
the deer in headlights look. I discussed this recently
with a client who wanted to be snarky: "Oh you'll never
get in my systems" and I decided to inform him about
reality...

Reality: Hardcore attackers are NOT charging down the
castle road with a log trying to break down the castle
wall. They're sending client side attacks (phishing
emails, waterhole attacks). It's more cost effective for an
attacker to do this versus trying to defeat the router,
the switching with all its VLAN glory (that gets vlan
hoppped), the L7 firewalls, the load balancers, the IPS,
and then the IPS. Its useless, noisy, and just not cost
effective when you think about it.

IPS, IDS does little because they're RARELY applied in a
proper fashion. As for tinkering, geekiness. If you can't
at least wrap your head around the concept, then I don't
know why you'd want to be on this list. Further, IPS/IDS
is better suited to be inverted (Extrusion Detection) as
you WILL NEVER (CAN NEVER) stop someone from knocking on
your door. So you block every APNIC block thinking "Phew
I just blocked 100% of APTs" until you get whacked from a
hosting company in the US. What have you accomplished?

On the EXTRUSION side of the equation, knowing your
network, and how it works makes more sense. Your focus
gets shifted to the following logic: (rule) SHOW ME
ANYTHING LEAVING MY NETWORK THAT IS OVER 1MB ON A 
SUNDAY MORNING 2AM ... This anomaly means a hell of a lot
more than watching all of the internet trash that will hit
your door (egree ifaces)

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463