I researched the topic. Here are my notes. Please do disagree with me if you have good points, happy to stand corrected and learn.
IDS from the point of view of an end user, not server.
IDS can be compared with antivirus.
- like antivirus -> also increases attack surface
- like antivirus -> also increases attack surface
An IPS is like an IDS but with the added feature to block the attack.
threat model dependent:
- A Windows user with no clue: Should use antivirus. They employ lots of insecure practices anyhow (not checking software signatures, closed source software, no VM level compartmentalization, Windows) so that the extra attack surface of the antivirus is negligible. On balance it adds more good than harm.
- A security conscious linux user: added attack surface by antivirus is non-negligible so on balance not worth it.
antivirus increasing attack surface:
- It’s not a theoretic argument.
- Download of signatures without verification. (ref)
- Weakening security of TLS. (ref)
- Introducing memory corruption exploits. (ref)
server vs client:
- IDS / IPS seems to make more sense for servers
Are there any linux malware scanning gateways? Ones that are Open Source? Ones that can also inspect TLS encrypted traffic? And not creating a mess due to TLS inspection?
the combination issue:
- one cannot encrypt ones traffic and at the same time DPI / IDS scan it
- one cannot torify ones traffic and at the same time DPI / IDS scan it
How do corporates do it:
- doesn’t apply to us, because
- they have policies “this browser only, this mail client only, no Skype, no Tor, etc.”
- block encrypted unknown traffic (ssh, etc.)
network based -> more for company based policy enforcement
-> we have more traffic today? -> someone using skype / torrent / emule?
-> configure a set of legitimate services and block the rest
-> conflicts with end users wanting to do whatever they want
the lone wolf issue:
- doesn’t help to have super entropy for oneself while no one else has poor entropy
- very very few people seem to decrypt and then IDS scan their traffic using Open Source
– therefore no signatures for Malware that is using encrypted traffic
- do we want to trust closed source to scan all our decrypted traffic?
How effective is the malware detection of IDS signatures vs antivirus signatures?
- The days for DPI are counted - more and more encryption is being used everywhere.
- Encryption defeats DPI.
TLS Inspection issue:
- man-in-the-middle encrypted SSL traffic so IDS / IPS / DPI can check it:
- there are no general solutions to mitm ones’s own traffic
– encryption is done on the application level
– so a generic solution on the network level does not exist
- only specific solutions exists
– there are mail gateways (for pop, smtp, imap)
– browser mitm might work (install SSL CA certificate)
– mitm against arbitrary applications (everything that is not a browser) is hard
- DPI / mitm against torified traffic
– no easy way to DPI Tor - it is anti DPI
- some do not work with modern ciphers, diffie-hellmann and perfect forward secrecy (PFS)
- do these even work for domains that use key pinning such as google?
From a ccc speech.
TLS interception considered harmful
- lots of TLS vulnerabilities lately (crime, heartbleed, poddle, etc.)
- one needs to stay on top of TLS developments, browser vendors do, TLS inspectors don’t
- current TLS inspectors don’t, and replace a good TLS stack with a weaker TLS stack
- enterprise TLS solutions are as bad as forgetting to run integrity checks
a new TLS inspector with a sane design:
- should re-use same code as modern browsers?
- invent TLS secret leakage to IDS protocol
volunteer IDS / DPI scan of torified traffic
- in theory one could modify Tor to voluntarily safe the clearnet traffic and send them to the IDS for inspection
- but rather than depending on that complicated solution, we could as well as just run the IDS on the same machine (adds IDS attack surface)
first IDS scan in one VM, then forward to another VM to to torify:
- breaks Tor stream isolation (because it needs help by the application layer)
network based vs host based virus scanning
- [A] scan inside VM -> easier to scan -> vulnerable to antivirus being disabled
- [B] scan traffic outside of VM -> harder to scan (traffic only, no file activity, encrypted traffic issue)
virus scanning VM:
- A new invention idea…
- Could a Qubes (non-networked) VM get special access the read the whole RAM and disk of another VM to virus scan it?
- That would combine the advantages of [A] and [B].
Open Source antivirus:
- clam av -> no serious detection rates
- serious antivirus -> closed source -> with root/kernel rights -> risk
- do we want to decrypt our traffic so a commercial scanner can check it?
mail scanning gateway -> most useful to protect windows computers
detect automated attacks (mostly against Windows) and see how these fail? -> just noise
detect attacks by advanced adversaries? -> no IDS can do (like no antivirus can do)
detect tailored attacks? / detect new malware (heuristic) -> probably not using Open Source, there are no good antivirus scanners for linux so probably also no IDS (which is even harder)
hosted based IDS
- alert “we have more traffic than usual” -> installing new template?
- alert “we have more CPU usages than usual” -> running a new game?
–> not very useful
av-comparatives - backtest antiviurs heuristics
IDS from the point of view of an end user, not server conclusion:
- default should be recommended against, for the same reason we recommend against antivirus
- improvement is possible
- sane, Open Source TLS inspectors, effective Open Source antivirus scanners and perhaps a Qubes virus scanning VM would ve possible in theory, but don’t exist in practice.