Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Faults in Measuring Security Effectiveness



 By: Christian Stankevitz, CTO NSS Labs
2008-01-22
Article Rating:starstarstarstarstar / 6


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Astute buyers of IDS/IPS technology ask the critical question: "How can I tell if product X is really better than product Y for my purposes?"

The challenge that faced IT implementers throughout the history of intrusion prevention has been determining which IDS/IPS products are appropriate for a given environment. According to Christian Stankevitz, CTO of NSS Labs, every vendor claims that their product is better than the next in some material way.

The dizzying array of product features, numbers, anecdotal quotes, case studies and claims has left many buyers confused. Astute buyers of IDS/IPS technology ask the critical question: "How can I tell if product X is really better than product Y for my purposes?"

Independent testing should alleviate this confusion, assist with consumer product selection and augment vendor product improvement. That means that independent testers provide accurate, realistic metrics to IT decision makers.

Accurately Measure

Resource Library:

The only way to guarantee an accurate measurement of security effectiveness is to perform real-world testing, utilizing live exploits that attack actual hosts. In the early days of security product testing, this was performed by exploiting a small number of vulnerable devices that would compromise the target when executed from "attacker" hosts. This approach worked quite well for a while, but failed to scale as the combination of exploits and vulnerable targets exploded. Every time a system was exploited, it had to be rebuilt.

To provide sufficient testing of coverage without building an expensive infrastructure of exploits and vulnerable applications, testers began using "capture/replay" tools, an approach which records an exploit once and sends - or replays - it repeatedly. Testing products using capture/replay has become the mainstay of IDS/IPS security testing and so widely accepted that many vendors and independent test labs use these tools exclusively.

The Capture/Replay Problem

Unfortunately, using capture/replay technology for the purpose of measuring security effectiveness is a flawed approach. It is incapable of determining the real impact of partially mitigated exploits and in many cases the captures fail to include meaningful payloads. Often, meaningful exploit payloads are the difference between a functional exploit and harmless garbage. This presents a problem for all IDS/IPS products, as both sophisticated "protocol decoding" technology as well as some simpler exploit-based signatures can correctly determine that the replay (with no payload) is not a real attack.

Thus, it is impossible to determine which IDS/IPS device is functioning properly in a test and which is not since neither report the attack. Furthermore, the results of capture/replay tests are indeterminate because such tools cannot target real vulnerable servers to ascertain the impact of an attack. Just because an attack was partially blocked by an IPS doesnt mean that the targeted service didnt crash. Understanding the ability to mitigate the impact of the real threat is the only true measure of security effectiveness.

The Product Effect

Unfortunately, since 2005 nearly everyone has relied heavily on a relatively small number of capture/replay tools, while market dynamics emphasized speed and simplicity over detection accuracy. During 2007, several IDS/IPS engines have been observed to miss or "leak" exploits that were once caught, even though the IDS/IPS purportedly had the necessary signatures. The problem was not limited to old exploits. Some recent, well-publicized exploits were discovered to neither be detected nor mitigated by security products that purported to have coverage for these threats.

Seeing an isolated exploit sneak past an IDS/IPS is nothing new, but it has become relatively common to see double-digit percentage increases in exploits passing through several products from multiple vendors. It appears that some security product vendors have adapted their signatures to detect the traffic generated by popular capture/replay tools. Thus, these vendors have in effect "de-tuned" their signatures and degraded their protective capabilities in order to pass common lab test procedures.

Conclusion

It is time for a complete overhaul of IDS/IPS testing methodology. Capture/replay technology is of marginal value in a testing environment and must once again be replaced with real exploits targeting real vulnerable targets. Testing labs should provide environments with a large range of live host targets, complete with vulnerable applications, databases and operating systems. Live threats traversing live networks carrying live malicious code need to be used to measure actual product effectiveness and the real impact to these vulnerable systems. Real-world threat categorization and real-world testing methodologies must be implemented to get real-world results.

It is the responsibility of testing and certification organizations to provide this information in a manner which consumers can understand and apply to their specific needs.

Christian Stankevitz is the CTO of NSS Labs, the globally recognized leader in independent security performance testing and certification.





  Reader Comments: Faults in Measuring Security Effectiveness
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Christian Stankevitz, CTO NSS Labs
 


x}ks6*Q3{L=RJ64ԭRQ$$1H.I˩'o҃ldq2DFh4{$ W7-gJz)ٟ(O,zIj}ݻPCefAUM7 JԶO7RM3i /w[{#|6S%߽w *sR{€wɌZYZܗ>Q8&-Lb8&q'@G tuGѦ͂%HCxGu)tC(DHږyD6D'J;ߣ*c7 ݹx8/DeOXIYɼMcAq25A[h =k}|Ekw0Ni?@Sա*"U{Q5h"f3r- #wJ;uy D:v`,EOǮmfCc7PpmׇVKTq3}nـ[}@ݑ[sIVH)æ至בTBRp`åzS+z?Ķh{' ]u~Cocz^[uS]8!YYz(ji˜HJ6ԃC(p}=\'t, .E]fؖq[th(푦V* (GZPʍ#g}rL>-g`TzEÝ|k4;7:P)J7_HFc[wn ;ZIkP'AlH.;q@. X_d}+5*%`ZJG4/ ZHN׳Pw0 u{5(ƭ~㖯[FIS# ԏ40"ÌJ0~̢J9/s}utȰsr~|!|c%̠jPEf+52h^uܜ޼\st/O7rֿ&ݓYᓻ i fɗVkupsO|nan; dPp9L+pzҐ ?O:d[W/' MDO0dN`mY\H!-OT|Y|ԛE34 i[2)?m9Zut kUoU:_fT7oh2 4 ?]p a4fAt&&h)5?&ƮȚb.L2:~)mZ—W/(AK/-ڊ5|*(if);=^f&/\RB0p 3dT7,xM.Σfm՜Ӆ]WcMY㞖\zL[gu >~uLqJXx7Y`I-e`\\Է7ZORQ^Tr[h 32ud8԰1n҉âx?/(MtsϽ#|>7Ǻ㤞F!|Бd6mb8-ֹ" ,70}HwH1¤ wX$}ZcO6/| \a֜^5D4h-D&q@ qHhQ0|s0Y[s0(A` VGP/@X]7$(k6G~[>l0 Q|'sZ( 7^bS"# EEKy3@ $h-az.? ŊHHXVphTݞHpHT*esRأXB YX/E_R23#CdɬaX91{MfT`"[ᛥBKak`F^jI$M#AI\ZkTU>5BYQՙcMqNjr`!]gׅ.G0p#q"(02,Xhl:4E^Pw̽'SBh&H00UEEBf-4V(f ᠺ4S}52{B[`a s2q|}!I4/5+:~nMAV?Ry v|;pG9#rUϚX 5<9.&B#57SSښLqUuIYhJ U35 LGyG (.EF3wNl㜜;F]s;tO6/OZbxh6$U7oH_ƠR9ޮ R[kҁ K rW}aԵ DAn6\Z3,c l,>4AdNa:*)H3oݎ\1ĢfmL jrIȔm%yr~W4EiZZ/}sf8, J; H璉IJ5*3XSt'[B`VaNg43aJX6 ~DR^ 0kugfjE)jB4P/#[յ /S+wڶ{Ot]QG#Xڞ1Bz`_mpf^ GZ.L"AqA029*?/wtAp'\sW["LJ}#ݱe-7Nm*I-iۻ(Sg&;Ql˘@/𞆌)2`pIl_a@C^%)& s^a\FBk  ZCbP&ܜh@& aE"' :>s!a*7+ )Z;z^*k 9ɡUUR;*Z 8;z%^AAqQet5MQ:9r'~y89ͼoŹ1ftIi a^Jdw%UXY81f-1_0E /ÊTU5+i fR9!} leA{X~\W4Uud¹`Qеa=ECV8# H*7h6І{egjڋ˥u;OPd;Ђ#_?ڋ=-`"Kj3Uv~ie(#~~+ˣ φ '1>̍&k}TZ^R+{=m`7B[$ zLÈi{qņZ )J g˭H y V9y]%fZ+e1yYUzrujƵEd^xEętً*W2 wY|3RT R͋i 4O</ N$8УIשoQ!'܏r L|=|07Z7}pNNxT!"kq(n, #حwDN;QOI/07W$O04RۧNT%:@"#f.@C׳@.l̽qD#G_TUeD5ẹVY0Ce 4v=.Eڀݸ i&%lbbӧ[e7M#3:p7n-*~2sŹZ뼒RWGFXTM`U!TPԀO>xS_7)~|$DC9kmtae $NoڌTrTS+JJЛQC.%-;& veN6q%a?lͥg`kD?"B56J0uhzGSYIzQ\L cn/$h/ ސ!1Mu(@=6{]M茻h_n LS~u4M<+)p]v3>сh 0>0Rlʪ+> 2.izIR/s{@:Lpz]0{?H WuṚo{{7÷ GL)߭~*G9WIX5 ]Uj{_ seG\0BR1|ʢ'r UN7._VZQ(]HX9H(P+,rޏ'ɷonjC<: +A񷠐n)ɱ$>QkVR12a7ZTe73111u?|߻X?hueQj-bm+ =|Q+ t{tO燤}P:k ?Nn00N0N0+޿V LӀïRCR9"*uwh-6z_5ރ6 `i<~{D]Lp7ƽyjv/KElEh0Z< p 8ѿE#N Ws=An2HCO!yN.:FStk;d4)(gjcXc?$ >c -}ڹ̂1Ka՜4"^k=BSfamFp6[E_aݪ,d20!&)t~ăyE9 c@JA=o8.ڟY%$C[( 1teE/S)Q\(OYiL×&(L>+9Q_;Q(o9Kj}K_cOͲhXki-jշɫ؉|Ds`*=S!L QʕCr^Trq]4h$=ݟ;F`cIŃčN~ڑq eީӊN|mu +KׅNo-?ݑC5=ICw5FG2]3>^Y #}DK,qj;;_彠P.fsRɍeNiX:OUКkݮ" # Cӝ떃]L>Ibع&OsP+Ƃy :tD3(oY7۸{.zʜ(=!GzE>rF.Zҟ F=f/c_FݖyP1hng4lLSI")V5w7`\8%r +Txr1ϢI/nN (f~Z;pOʠ%cc}d}ݸw[f1vifoJP!Q>]awP;_zÞ6YiEu/K\-"Pn'ZY|Hז%0)7۴ rUCaMku,giƿ_J&[qVL|}zx|[qzJV_N\RGːus"15TTU'~w `-o9'O/VTh6XerAuӯ9u7fx|v-^-YXrcL2rW࡯rkN)#Kw2@[> Q3X>N](}dIȘNx(_BlCAW7AgYW-̑ j )ׄD=̟@%-r;-6|p,ub"Q2Iގ㯒mSHig5XR1f}tRwԦdV+Ľ1E#^zgl{z;N:tgXViWwDL<C%u9(z4ɝXs >ה{J?r,|oDA<,h;: ez6F $ oP⋯;z)דͣԎRA1jEz)1T!a:=͜IY)ݰ.On+xSwpI{a)#J%=6B)BQ( ˬEJ2@RI-M @d&ɹ R_*Xҕ@ H50Isp-H4YD.YB̔G#?/"J:Bؕ]UISeҫ J 0zHg̶sPbW֔Zi>q3- 0Ș!Kw.|)}gWwDUۖ˯ʼn" j[\nfM~\Kpx) pU0 IQaǞv oTWWoה)@x`p4π-Lp&i sx+J71EՇe\d猯K(=vAkWkmyx ^CQC u+u=ikJ A1'Ru0Ss;4eDDv9x&AVh2G@73@s«S%mں3Ccg 38V+7!sssswWKUʼn|q ЅG :)`QJu~ >S`8^(M٥ Le`pXD","`moަj_|e ږ\j~P^4:wKDR츸.g,sRD~$ }=| DY❝zK[M`ם΍TTUiKWx3-ER]Irm+IF\[度xQ! @xxN[`'y 9gh__4dj-9H̔):&1mYFC%HNjPtC# ĝ{eXz^+m`Lp$ |"$$I+a/@v@alɡm;RqLυՏ$ReoQG/8WS;w9zڮޖ#]6G{8D+?w}ħ;2(Pǫ>kAFUWK /aG)|6;  (oCpob䭽`=d??ߋ"?XsC ߋ. >I8O:5'-xUQ)./4{ $$yvg{">(7k/('>?Ʒ}W5>Yۏo,? b,n^L5|5ձ J =d e Q]ߣA\ۦ{maD_n|Qk"]PVôyRcWF%3z J 0 ;CX^qX3&I4uR_SS[ Zů[#rd! `,%o,"%xa ocquQ%'}(h#8YL˃s^z4jsϙTh,ZNt_\ĥpL1^4xAz)XBtIkb"Kd˘x1{BZ{Tes[ɧj*/ iT /k$O6ǣD^3#lzYC 'J/k&t];xVe j+Lt}^8Ow| e޼vO %YՙJ!]mݹ]絏ݸ!5fcߢf pl,cySqSXrȅm#dcZl3Lµ/A*d 8Iuק6:&̽OND0 K*i%V#/rCyQy׻SWVRer@Yq: #aZf=kʧv,T_Hz=ױ:ۭ=Tr^#0,6b)0J`|H>HP)%$Fv{-9yN 'g%}jپ îKLBLc 7ta  >x.5!o[I{m>8bKEh'&nUZtRtzzT["}Fsgy1~f:F碷' +Koa}o+ZKɶ8+.R)q2>sK?k0,Pљ2H ߷~mXTW"гj#t+nϪ5 M凄Lm W1ՔOZvN۠9IkטPt0TgL|xaj aV gfٝ7gr]}RA+oR[YS_D_-l)' t Mt=7W0OP|tTkVyKb?{r d+yiN&4Rx &ԛ[iӘ̥7a?= ϸ8#ǃ""ab+pD['ٍI䏖+62 1jLl/ut: ?s3 zxX2<.P_[EaxL񢋫#a= b/ˡ;/FЏ 'lI=R+^0wCE–2f.Pƪ/1M[>B$!iΒB?/חܐ}x\pjVdL4"&(qTik$<49࿿_LYsnOKZS3ld Dxd{.3))Ĵ&1CLD:5,ǰlFLN۞H< RǠY߽bbWoH$P +wdc&>b|9+=%GeCX ʏ(Jg "PV: ![C 5Dfjs# x_vƅfNÙ jEPf00apLoQؼO^Ĝ s+Ąf)u n9 :j@ g>򽉱0u9,2usx\fH֎_$Ѕ:x,@#!9ωya],#Yf:AaGP8Z  +z+uT'I]WH)9CȮ KƪZIP4SPwU2Qq%LSz% %uW0`A i2ag4t\K -C? &a@}lFLÙ܎r,WWYuC'ݫaI;|isym2_T -Q9l:NYPʹ`Sgʵ,%E:wFU 3Dcqy^ <;Ϣ;xRv qNi|fc}zz |j%g5>;ٙK_-fyP`Q_1CP܄qP b:!_v Ȥou9@/9B9P~ )Cy?9}hp)?g@\~-λ˻V4eN9A \~/r.ǜA{9^|o/=O/>=/=^?{92zˏP1s)Ay/2g|/A~.s2g?>~~+r޿!0l.!>BǼrǜ}}̡   M:Iʙ#g+\8JW ~TA__y+%YNysYU~vïUX^йZ**o#Uߧw2~2A^O aqʍz^S_yڙ떽pLڭe]9H+G{1:,ybI_zHGW4:<)X9vFnmeIbARX&)¹'ݞރ}r mG[0Р_tN>\woҹl_;졳7K쓭?M}f`ͽTV)pF;F,R+|c ,>xOa4D=SHNWnޓ97M]w n &)xT-kZYoZԪ0lFx@Dd1| ̈ɪ"+uW9 8]V*J0XR^9Q(Fuo*K0njE=u̐ga0V1;B&\Cx'«)2dof2EaSOCt8cokx;r$I ?,(s[^Fel\BcVyxaFV,hcť 6%bn1vu¿.г.p] ? 3ɕBy ĪG9ШsSwˡB~22VH'5o{鬙B΄[6пC9s%(M W 5t0@2nu–1*F;B.^!ɉz-Cw`bʜcM^`˫E0H0xI{#mX<ap[b2 Bj`̃`wژq%xL´kLK]mĴjdG[[zhR,h`Erl9GuZ#Q8ۈqdA(we6Lm (~%.,.aWe.B. s@e8>cc>m=]wvl#kCu7ВsO^!M:5p fB~nzTǓxY'N*Maџ eFx˟%41/ Y<;E񼡌s2x Lx E6' ٵA/xv/G&`ceGrh`=G(QO,D*9"[Io %Q9@EikI/?I3軉Wd쥽%}Yq v.}xFʫu\z$rnR'9"% oPm<% *`>=.X&";>6Lp>Τ=A>XY#r=˜3J1Д8v2#OA+r ӏe[ O2Cڰ24ywخ;Oq^gt#>&rd{Go/UcHPWׁݞV /Xo} 8jO.dp.!XscQ%7` },7ܨNGQeVb0yM&}0uGĶrCR4oUpwRv K ?93r(@P 91^"uz ?;<v7c fk_2we>vį-ǬyvJ~S O3й?-R/de;͌: ,{QFbNsh݆GO0ޏq۷PV|@xSa O{:psz26  Ѩip[TUDgnns^+37k{.**kW46* <򧤝9mo@>1[?܋ϑ{ʾ 6^f+9uRɴ{m epCikZ+ (DqS XǢVWITR6!;دk`4bV@P1,Ə,oԟÌ'TS*4.v>ϝn<^eODNű<<Sf}')VSL_X1X_<|:L+`ʢ