Interview with a securitiy professional - Ron Gula

Networking/Security Forums -> News // Columns // Articles

Author: alt.don PostPosted: Tue Nov 15, 2005 4:05 pm    Post subject: Interview with a securitiy professional - Ron Gula
    ----
In our continuing series of “Interview with a security professional” we have the pleasure of having Ron Gula of Tenable Network Security to answer some questions for us.

Question

Do you feel that IDS technology has improved much in the past ten years?


Ron’s answer

The technology that is deployed now is much more advanced than it was ten years ago, but the actual technology hasn’t changed much. Some of the “speed and feeds” have changed significantly, such as multiple gigabit NIDS, but the actual algorithms and techniques, even “behavioural” stuff is much older than ten years.

Question

Within the industry today there seems to be some rather dubious claims being made by some computer security appliances. Do you feel that the computer security industry would be well served by having a regulatory body?


Ron’s answer

As an industry, we name things really poorly and then market the heck out of it. Consider the “wired equivalency protocol” is anything but a wired line. Terms like “intrusion detection”, “behavioural analysis” and “hardened appliances” are very deceiving. A regulatory body wouldn’t help much as there are so many different applications and threat models for network security, we often have an apples to oranges comparison. What we need are smarter people and people to spend more time on worrying about their businesses than the latest security technology, certification or compliance issue.

Question

There have been several client sites that I have been to where the IDS/IPS/… is only collecting dust. The reason given to me for this is that the in-house staff could not understand the output. Should vendors take a more active role in educating their customers about their newly purchased products?


Ron’s answer

Most IDS/IPS/… vendors have very good training, consulting and support offerings. However, most organizations don’t have more than a handful of IDS/IPS/.. experts. If these people leave, running one of these products is not a skill that someone just picks up. Even if you understand the basics of a particular type of IDS/IPS technology, understanding a certain vendor’s or open source project’s terminology, architecture and capabilities is not easily done. This also influences outsourcing to MSPs.

Question

What would be your primary design considerations, were you to code another IDS from scratch?


Ron’s answer

Ha! It would look much like what we were shipping from Tenable today. We’re definitely not in the network IDS business, but as someone “on defense” I’m a lot more comfortable centralizing all my vulnerability, asset, logs, netflow, sniffer, .etc data along with events from whatever NIDS is in use (there are still lots of Dragon’s out there) for both the big picture and realtime alerting when something bad happens.

If I were to do another product, I’d take a stab at more of a commodity product or service. Possibly something that can be sold at CompUSA or on eBay.

If I were doing an IDS, I’d focus on actually detecting intrusions and not so much intrusion attempts, like scans and probes.

Question

In some of the client sites that I have been too, the customer has always looked to an appliance to be the magic cure all. There are many other steps that can be taken to harden one’s network. Could you list a few that are off the beaten path ie: not the normally quoted ones. I always suggest taking weekly/monthly packet audits to root out spyware and p2p for example.


Ron’s answer

I’m a big fan of centralized and realistic network management. If you have a process that discovers and removes machines, servers, applications and equipment which is not supposed to be there, you dramatically close down the amount of potential attack paths an adversary can exploit. As boring as it sounds, organizations that can create a culture of change management do tend to have higher uptimes and availability on their servers as well as a lower incident rate.

Question

Being the creator of an IDS yourself, would you say it is accurate that most vendors write rather loose signatures. Would it not make more sense to write one to be as accurate as possible ie: port numbers used, ascii/hex strings, and the such?


Ron’s answers

This is a really tough call. The more accurate you make an algorithm the less chance you have for that algorithm to detect a variation of the attack. A good approach that almost all IDS vendors take is that when some exploit gets posted, they write two types of signatures; one to detect that exploit and one to detect a more generic exploit of the vulnerability. If you are too generic, then when you actually have an exploit detected, there is no context so it’s difficult for an end user of a NIDS to figure out if they have a zero-day worm or just some non-RFC compliant application.

Question

Do you see businesses totally replacing wired networks for wireless in the not-so-distant future, and do you see an inherent unresolved security issue in doing so?


Ron’s answers

I don’t see a total replacement. I have seen some companies switch over parts of their staff to “broadband wireless” and force everyone to come in through a VPN. The reality though is that most large enterprises face some combination of connecting geographically dispersed people with services which are outsourced, on an internal network or provided generically such as “internet” access. Each of these has various threat models, authentication models, mobility requirements and so on.

Question

Do you see the current trend of hyping “anomaly detection” as a fad seen as they are mostly signature based anyways?


Ron’s answer

I’ve enjoyed the signature vs. anomaly debate. In the end, they are both algorithms and if the bad guy knows your algorithms, he will beat you.

Question

Would you say that intrusion prevention systems are effective in their present state, as there are many claims of attacks (specifically attack fragmentation) going undetected?


Ron’s answer

Most IDS/IPS will keep out the basic attacks, but if you have an adversary who wants to break in and does not want to be detected by common IDS/IPS solutions, they will. There are many ways that a specific attack can be masked so that it isn’t brought to the awareness of the human, but there are also lots of things a defender can do to make this more difficult. IP fragmentation is definitely an issue, but large amounts of fragments may not occur at all on a modern network and could be a clear indicator of a DOS or an attack. Also, the fragmentation issue is handled rather well by inline devices which simply drop fragments or try to rebuild it. There are attacks against those as well.

From a network point of view, I am more concerned about the attacks over IPv6, SSL, SSH, .etc which are difficult to see when they are encrypted.

Question

Were you to recommend one programming, and one scripting language to learn for the computer security professional what would they be, and why?


Ron’s answer

Any is fine, but it is more important for people who are in the business of securing computers should be comfortable with the technology they are securing. If you are in charge of securing Cisco routers, I’d be comfortable with them enough that you don’t look like an idiot when you tell the router jockey to reconfigure the routing table. If you are making patching recommendations in a Microsoft shop, you should be familiar with their patching process. To often security people are detached from the reality of running a network. Knowing what it takes to run a network can help to make security recommendations which will actually be implemented.



On behalf of the membership and myself I would like to extend thanks to Ron Gula for taking the time to provide some really interesting answers.

This interview is copyright 2005 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.



Networking/Security Forums -> News // Columns // Articles


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group