Tuesday

NIDS Limitations



NIDSs that rely upon signatures must constantly update the signature database. Obviously, pure signature matching NIDSs will not alert on attacks for which they have no signature. If signature definitions are too specific, signature-based IDSs may miss variations on known attacks. (A common technique for creating new attacks is to modify existing attacks.) Signature-based NIDSs can also impose noticeable performance problems on systems when numerous attack signatures are matched concurrently. Additionally, signature-based NIDS inspection can be evaded. Secure Networks showed in 1998 that attacks which exploit funda-mental TCP/IP problems—insertion, evasion, and Denial-of-Service attacks—are able to elude NIDS detection. Dan Kaminsky recently showed he could send a series of fragmented packets to a NIDS that, based on the time and the operating system platform that they arrive at, reassemble into an attack for that platform that is not recognized by the NIDS.

Honeypots and Honeynets

A honeypot is a computer system that is shielded from the Internet by a router or firewall that is transparent to an attacker. The honeypot masquerades as a normal undefended system, yet it logs every action taken against it and every operation that is performed on it. The goal of a honeypot operator is to lure an attacker into hacking the system in hopes of learning all of the details of the attack. A honeypot is a system designed to illustrate the methods used by black-hats to probe for, and exploit, a system. Honeynets are networks that contain at least one honeypot. Typically, honeynets present a virtual network complete with virtual services and applications that look to an attacker like a real network.
Honeypots and honeynets are learning tools, and can also be useful as canaries (canaries were used in mines to provide an early warning to miners if air conditions turned sour). Unlike NIDSs and HIDSs, where false positives are a common nuisance, honeypots and honeynets, if configured correctly, do not have a measurable false positive rate. Honeynets are often configured so that their IP space resides within unoccupied IP space in an organization’s internal network. In this configuration, anything that hits the honeynet is either an attack or a precursor to an attack since this IP space is supposedly unused. In its canary role, a honeynet can provide an early warning of a virus or worm attack.
Related Posts with Thumbnails

Link Exchange