Thursday, December 9, 2010

Intrusion detection

I have an aversion to intrusion detection systems. Not because they aren’t a useful tool, but that they usually get in way more than they help. I speak more of application layer intrusion detection systems that attempt to weed out URLs and sites that might contain malicious content. BYU’s new Cisco IDS is a resounding example of one that gets in the way. I used to have a job as a developer in one of the colleges on BYU campus. There were a few applications that had been written or purchased in the past that were loaded with SQL injection and XSS vulnerabilities that we had to support. Not a big deal, we just kept them isolated on their own VMs running in an environment with very limited privileges. We eventually installed the mod_security apache module which is an IDS system that is supposed to stop SQL injection and other malicious attacks by analyzing the text of the incoming and outgoing requests. My biggest problem with it was that it created more problems than it was fixing. We tried putting it in front of a content management system we had, but with so much free form text being submitted to it, it was killing sessions left and right. I eventually went in and turned it off to the dismay of those who set it up. I think the idea was good, but the fact that we were relying on it to correct bad software design was not.

My point in telling this story is to point out that IDS systems are hard. They don’t make a good substitute for bad software, but I think they are useful in weeding out the viciously malicious. If IDS systems could be trained to know what is good traffic and what is bad, I think they could be beneficially. That also means that they’d have to be trained specifically for each application they were protecting. It would be an interesting area of research.

No comments:

Post a Comment