 That many, huh? So this is going to be kind of a non-traditional presentation. You know, actually I had this really great, like, 300 pages of data collected from stuff I had done against NFR and Black Ice and a few other IDSs. And then I got to talking to Chris and Robert and all the people who run this company. And I thought, you know, why be such a jerk about it? And then, also, I was going to do a bunch of Tay-Chick and Nushim stuff. And then I saw Robert's presentation and everyone else's like that. Well, this has been done already. I mean, do you guys really want me to rehash all the Tay-Chick and Nushim stuff? Yeah, no. Yeah, maybe. Okay, well, the guy who wrote Snort, shut the fuck up. So I really, you know, so I really didn't want to rehash all the Tay-Chick and Nushim stuff. So I, like, literally, seriously woke up this morning not too very long ago and sat down and had a conversation with a few people. And I put these slides together in, like, about 25 minutes. So I hope you like them. And if you don't, I'm sorry about that. Although I do have, actually I have a lot of cool stories, but I'm going to tell the first one. So we went to, we went to Sans Network Security a while back and we were in a 20 by 20 booth across from Network Associates. And they had this really big ass sign that said, Who's watching your network? And I thought, you guys are pretty stupid. So we had about a thousand shirts printed that said, So much to their dismay for about the next two days, about 500 people were walking around in shirts that said, We're watching your network. And I think they were across, you know, from us just going, You suck. So to take it one step further, Hopefully I won't get sued again. Their attorney sent us a letter and told us that we had been violating something to do with their slogan or what have you. And our attorney sent back a letter and said, Basically, fuck you, get a little more creative. So we're watching your network. So if anyone, this is a really interactive session as you can probably tell. Shit, I may not even talk about technology. If you guys have any questions, feel free to ask them. And if anybody asks a good question, I've got about 15 shirts I'm going to throw out. Except for the guy who wrote snort. That's a good question. I'll get to that. So also I have these little, have you seen these little pins? How these little pins that say, fuck me, I'm leet. So although, so I don't have many of those, but I don't have any monkey stickers either. So you guys will just have to deal with the one on stage. I told you it'd be fun. So, and you know, you guys thought you might want to go see Simple Nomad. The hell were you thinking? Okay, so I swear I may not even talk about any of this. So I've been thinking a lot, and I think everyone else at our company has. Also, I'm not going to try and pamper our technology a whole lot too. So although I do have some slides that were created by our graphic artists. So you're going to see a lot of, like, Everworld logos and stuff. Couldn't be helped. I like barely know how to run PowerPoint. So some marketing gim. What's that? Oh yeah, there you go. Good call. Who has time to do that though? Oh yeah, that's probably true. Next time I'll use Magic Point or, you know, if they ever get around to getting star office or something working on OpenBSD or if anyone could ever make it work, send me email. So, anyway, back to the slides. So Feynman, who I think everyone probably knows who that is, Richard Feynman, fantastic physicist, really great work. Work that was totally accessible to everyone. He said something that I think totally sums up how I feel about network security and how I feel about the stuff we're doing and how I feel about everything everyone else should be doing. Which is basically, man, I'm going to bag on NFR. I hope that's okay. Which is basically to, you know, to imagine and think about things which are there, not to imagine or think about things which are not there. So that's sort of, I think this quote sort of summarizes about the next, I don't know, probably before slides. So I'm going to talk a little bit about domain specificity, which is the idea of understanding what it's like on a specific network in your network infrastructure. I'm going to talk about false positives and how a lot of IDS technologies are basically generating an incredible amount of false positives right now, in my opinion. I'm going to talk about hybrid IDS. I'm going to talk about high-speed network monitoring. And then I'm going to talk a little bit about active packet scrubbing. And if Teichik's in the crowd, he's going to scream and yell and throw stuff at me. So let's hope he went home already. Okay. Obligatory bullshit marketing slide. Moving on. Okay. So a typical network infrastructure. You know, you have multiple network segments. You have numerous critical servers. You have Firewall VP and other protective technology. You have multiple locations. You have functional groups, right? So it looks very simply. I told you there were graphics from our graphic artists, so. Here. Yeah. Well, I figure it pretty much sums up most of the firewalls on the market anyway, so. Holy shit, it's burning. Don't worry, that's natural. Yeah. Holy shit, it lost state. Don't worry, that's natural. Holy shit, it doesn't reassemble fragments properly. Don't worry. That's natural. So anyway, your network. See, I told you there's going to be hyperworld stuff everywhere. So basically, you know, in your network environment, this is a really simple diagram, but you have hopefully a co-location facility somewhere. Maybe it's overworld. Maybe it's someone else. You have, what was that? No, it's interactive. You can say snort. I said snort. I'm like, hate. Yeah, really, like, hate dumb ass. Does that mean anything to anyone but you? Sorry, sorry. Marty, what is that disease where you just call shit out randomly for no reason? Tourette? All right, somebody escort the guy with Tourette's out of here. He keeps saying snort. I don't know why. Oh, is it? Oh, it's the guy from Genocide 2600. Oh, well. There you go. Okay. So, no, I swear I'm going to get through these. So, anyway, you have, you know, a scanner possibly. In our case, our scanner is called Swarm. So, of course, I have the Swarm logo up here. And you have a management console. And theoretically, you're not using some crappy product. We're multiple scanners or multiple IDS. The scanner report back to the same management console. Or are you? Anyone? No? Okay. So, what do I mean when I say domain specificity? Well, I mean that networks are constantly changing probably. Right? It's always something. Someone plugs something in. Something changes. You know, that sort of thing. I mean that the environment, if you're more than a few class Cs. So, someone want to answer, how many class Cs do you think one administrator can actually manage and keep track of? Zero. Zero. Is that what someone said back there? That was funny. Four. Four? Yeah, not many, right? Just a couple? Yeah? So, I say that the environment must be understood through automation. Not people handing information around, right? I think you have to have some sort of automated tool constantly monitoring your network. Currently, you know, currently it's interesting because there aren't really any scanners that do that, right? Most scanners. Not to name names. Most scanners, you know, you just put on a laptop. You deploy them. You fire them off. Scan the network. And then, you know, you walk away with obsolete results a few minutes later. So, I have this idea of you have to automate the process of understanding your network with technology, not with people. Okay, moving on. And then, of course, track each change on the network. No, it's going to get more fun. So, then I thought I'd quote Rainham. And not just by saying, script kid, you suck. Did anyone see that talk at Black Hat? No? Holy shit, bags. Open source is bad. Script kid, you suck. Don't release anything. You're all going to hell. Basically, I just summed up like about an hour of hands meandering. Holy shit. Don't forget our lawyers are bigger than your lawyers. Yeah. And our lawyers are bigger than your lawyers. So, you know, there you go. So, but I'm going to quote them anyway, but not in that respect. And I'm going to get sued by like every fucking company out there watching this up. Hey, I figured stuff out. What the hell? Right. I figure most of the suits would only come to this, right? Pre-advertising. Pre-advertising. There you go. So, yeah, for Rainham too. Look, I'm actually quoting him. So, the ultimate IDS would not only identify an attack, it would assess the target's vulnerability, target's vulnerable, modify the administrator if the vulnerability has no fix, it would include directions for applying a fix. Is this my beer? Sorry. Can you guys tell I have like ADD big time? I'm sorry. Who are you? What am I doing? All right. So, thank you. Someone in the eyes of the channel. And he's... He's on my team, guys. You can have a bottle cap. There you go. Actually, there's free beer over here, right? Goons. We have a real problem. There's not enough beer here. Someone bring more beer. Okay. So, now you get to go home and go, you know the founder and chief scientist for Everworld? I saw that dude drinking on stage. Yeah. Everyone's like, dude, I want your job. I just get the fuck around and people like come and see me. Okay. So, what do I consider false positives when it comes to IDS technology? Oh, by the way, someone keeping track of time. You? Good. You give me like a five minute warning. Good. Okay. So, what do I consider false positive when it comes to IDS technology? Well, it occurs to me that the word intrusion detection actually means to detect intrusion. Maybe I'm crazy, but that's what I'm thinking. Not that I'm crazy, but that it means to detect intrusion. So, then it further occurs to me that if you're going to actually do that, like detect intrusion or detect an attack, that I would consider false positive any time you detect an attack that's destined for a host that doesn't exist, right? So, like if someone, like RFP, runs whisker against my network. Did he announce whisker? Did anyone know? Yeah? Whisker 1-4? Yeah, good. If he runs whisker against my Class B and my Class B is only 5% populated, then why am I trying to detect attacks on 95% of that network? I mean, unless I'm running like a flight recorder or, you know, I'm trying to keep track of every single thing that happens on my network, why am I recording attacks to hosts that don't even exist on my network? So, I call that a false positive. If you alert and wake me up at 3 in the morning, my page are going off because you say that there's an attack, you know, because it's some high profile attack. You say that there's an attack to a host on the network that doesn't exist, like it's old really fast. So, of course, the natural extension of that is ports that aren't open, right? How can I have an attack that's not for a port that's not open? I mean, this all ties back with, like, understanding your network, right? So, how many of you actually deployed in IDS? Yeah? About half? Good. So, how many of you remember putting that IDS in place and then spending about half a million dollars worth of man hours tweaking it so that it wouldn't generate false positives every 30 fucking seconds on your network? I have a client, I swear to God. They installed a leading commercial IDS. A, A leading, not B leading. Now, if it were to be leading, I'd just say real secure. So, anyway, they installed A leading IDS and they put it in their network and they put it on their backbone and they have a lot of traffic. And so the first thing they noticed, of course, was that, you know, because they have about 70, 80 megabits sustained on the network, they had to put in about 10 sensors, right, with a load balancer. Okay? Second thing they noticed is that they had to put those sensors on, like, E-450s with half a gig of RAM each. The third thing they noticed, the third thing they noticed is that they could do aggregate across 10 sensors about 70 to 75 megabit per second before the sensor started falling apart across 10 sensors on the E-450s. You probably know who it is by now, right? Like everyone. So, the other thing they noticed is, and this is just, God, this is classic, the other thing they noticed is about two days after they put these in they had them sending pages to their pagers and their pager company called them and said, you know, I think 3,000 pages per minute is a little excessive. And so, after about, you know, 48, 72 hours of this, they finally shut it down, but they had so much mail queued up that when they finally got their pager bill, one guy's pager bill for three days, anyone want to guess? $16,000. And I was just, like, righteous. Where can I get one of those? I didn't realize that they made systems that tested the pager infrastructure. Okay, so, where was I even? Services that aren't running, right? I don't want to know about attacks that are destined towards services that aren't running. Let me give you an example. Despite what InMap says, just because I have port 80 running does not mean I am running a web server on it. Agreed? Yes, good, good. Despite what InMap says. So that brings us into invalid services, similar kind of thing, right? And then I'm going to take this like a step further. See, I like to say I was going to talk about Tachik and Nisham stuff, but now I'm just rambling. I was going to talk, so improperly ordered fragmented constructed packets between the nids and the target. Okay, what do I mean by that? Well, who's read Tachik and Nisham's paper in Search and Evasion to Mild Service? Okay, the Riverworld guys have anyone else? Still our check. Okay, yeah, you don't count anyone else? Yeah, a few people? So, hang on. So, how fucking elite is this? This is my copy. And it's got my notes in it. So, I've like underlined some stuff that I think is relevant. Well, here's a Network Associates white paper on high speed IDS. Fuck that. So, I just, I hope there are no attorneys in the crowd. These guys are like, fucking AI, alright, keep going. Alright, so Tachik and Nisham's in Search and Evasion to Mild Service, autographed by me and with notes. Anyone want it? Anyone who hasn't read it? Alright. Yeah! Toss it out, Brandon. I'll give you a beer for a curse. Yeah, is it an import? Yeah. Ah, then fuck that. Anyone else have an import? Microsoft action figure board. You have a Microsoft action figure? Oh my God. This just keeps getting better. Oh, totally sold. What's your name, man? Dude, this is elite. One more, fuck me, I'm late, anyone want it? Bounce right off the ceiling. Good. You guys are like, maybe I have to talk about technology, fat boy. Oh, I don't know, which one is this? Is this, I think this is stupid looking guy. Or at least he's in the stupid looking guy, action figure set, I'm pretty sure. Yeah, he's in the, what is this? Yeah, it does see MCP on his little backpack. Oh man. Oh shit. Yeah, I know. Oh my God. Yeah, really, that's true, that's true. What was it that he said, what was it that Petrelay said? He said, I'm not saying that Bill Gates is the devil. I'm just saying that he and the devil met, they wouldn't need an interpreter. Sorry. Okay, so here's the concept. I may actually get this out. So the concept is that if you have a scanner on your network, and it doesn't have to be the river world scanner, and you have a management console and you have an intrusion detection system, how are you going to mitigate this? How are you going to mitigate the idea of not having open ports, not having open services, of not getting alerts when packets are destined toward machines that don't exist on the network. And so cleverly, I have constructed a real-time communication between the IDS and the scanner. No, I know it's groundbreaking. The idea, right, is that the scan, kind of back with a lighter. Dude, pink Floyd's over there. So the idea, right, pretty simple, pretty hard to do. The idea is the scanner would grab information about the domain, therefore creating domain specificity. Therefore, the IDS would have an a priori knowledge of the network, and when something happened, that came in because you know which hosts are alive, what operating systems they're running, which services are running, which vulnerability exists, you don't get inundated with false positives. Pretty cool, huh? Moving on. So I'm going to, there's this guy on my development team who is like about an order of magnitude better programmer than anyone I've ever met in my entire life. He's a certified badass, and in fact, there's a sticker on my laptop that says badass, and I got one for him too. Yeah, ooh, badass sticker. So here's the idea. I swear I was going to talk about high-speed nets, right? Did anyone actually read the abstract for this talk? See, and what the hell were you doing? So the idea for high-speed nets is that you have something, see Steve's freaking out, oh my god, so you have something that does, you get as close as you can to the kernel when you're listening to packets, see I'm just going off now, and you expose information to user line better like with LivePeak, similar to what LivePeak kept us, copy as few packets as possible, and you have a large shared buffer space with information, state information, right? So can you tell that this is one of the original slides and all the other ones are just shit I made up? Yeah, good. So the point of this slide though, if there is one, is that at some point here between now and OpenBSD 2.8, if we get around to it, right? Ludwig, myself, and Solar Check are going to try and commit kernel patches to OpenBSD that allows you to do about 300% faster packet capturing on the OpenBSD system. And Theo said that if we don't do it, he will, and then we won't get credit. So I think I might do it. Oh yeah, well-designed hardware. Totally forgot to put that in there. Okay, did anyone know what active packet scrubbing is? Yes, maybe. Okay, aside from you. See, you keep raising your hand. Yeah, okay, another fuck me, I'm late. There you go. Okay, so there's another concept. See, originally this started out as stage of connoisseur, but now it's just like whatever John's going to rant about now. Active packet scrubbing is a way of synthesizing information onto the network so that you guarantee that as packets come into the network, they go through a gateway, and that that gateway scrubs the packets so that you prevent things like stage of connoisseur style attacks. Let me give you an example. Let's say, for example, that you have a buffer overflow or, well, let's start with buffer overflow. Let's say you have a buffer overflow and you can trick the IDS by inserting like a NOOP into the buffer overflow. Okay, right, simple. Well, active packet scrubbing is a way of synthesizing all that information so that those NOOPs get pulled out and so that everything that goes into the target network or everything that goes out of the target network looks exactly the same, right? So the idea is because... this is just an opinion. I'm about to state, like everything else hasn't been. The idea is that because intrusion detection systems are fundamentally flawed, that in order for you to have an intrusion detection system on the network that will try and keep up with all of the information that actually gets blasted into that network, you're going to have to do something kind of interesting, something like a router or a gateway that does packet scrubbing that sanitizes packets so that if Rainforest Puppy comes out with a version of Whisker that puts a bunch of slashes and all kinds of crap into a URL, this active packet scrubber cleans that up so that the target information on the target network always looks the same, right? Follow me so far, good. So you can also do some cool things like maintain heuristics to prevent odd packets from being on the network, right? If you monitor network traffic over a month and then you see some packet that you've never seen before that has no possible destination, you can eliminate that packet. Shunt it, log it, move on, right? And then it prevents unusual or abnormal information from passing in or through out of the network. And I said, okay, we have a question. Is this a firewall? That's a good question. I thought I could go back to the slide with a firewall if you need a refresher. Now, that's an interesting question. Now, the question was, is this a firewall? And I should... Is that a good question? Should I give him a shirt? You give it to someone else, okay. Here's the idea. There have been a lot of papers written about this concept of distributed firewalls. I think even Cheswick and Bellavin put together something that said distributed firewalls. Here's the idea. Originally we had routers and gateways, things like that. Then we moved toward firewalls. What is a firewall? Nothing more than a really smart router. It's a router with more advanced access control lists, things like that. So I think Cheswick or Bellavin, I can't remember who, probably Cheswick, postulated several years ago that there was this concept of what he called a distributed firewall. The distributed firewall would be a system that would sit on the outside of your network, act as kind of a gateway firewall, or a gateway IDS, would communicate with the other firewalls in real time and sort of maintain sanity on the network. And that notion was further emphasized by Tehchik and has been talked a lot about, well, not a lot, but has been talked about somewhat with the packet ball concepts from Honeymoon and the things Doug Song has been talking about and as well Vern Paxson has written a paper about this notion of scrubbing packets as they come into the network. So the idea here is that it's not a firewall, it's like the next step. You have a firewall and then you go forward and you have something that does reactive access lists. Reactive access control. So is it a firewall? From one perspective it is because it does routing and it passes traffic through. From another perspective it's a lot more evolved as a mechanism for preventing crazy traffic on the network. I believe that the technology today has not exists but only in limited areas. The question of bandwidth is a good one. How much bandwidth are you asking about? T3 or T3 or just rational bandwidth? Yeah. What is rational bandwidth? The technology exists in two forms. In one form I have about 2100 lines of code that I am debating whether or not I should check into the OpenBSD source tree to do this very thing. And then the selfish person in me is saying or should I release that as a product and keep the doors open? So I don't know. The technology exists somewhat. It exists. Certainly I know that Vern Paxton has worked on some of it. I spent about 3 hours talking to Doug. I know he is working on some things like this. But I say I have about 2100 lines of code that actually for the most part does this that I may check into the OpenBSD sources. So good question though. Good question. The question was how do you suggest that we regulate which is what packets are considered odd and which packets are considered normal? And in my opinion the only real way to do that is to maintain some sort of heuristic information about how the network is structured. How are you going to do that? Well, you are going to have to do that by maintaining something like a continuous scanner that keeps track of what the network looks like so that you at least have some knowledge of the network. And then with IDSs or with systems that have been deployed for some period of time so that you can maintain this heuristic model. See, here is the thing. I talked earlier. I mentioned automating with technology or automating with people. So no matter what you do, this is an opinion. Again, caveat, big time opinion. No matter what you do you are going to end up spending about 4-6 weeks tweaking a system for your environment. Period. Get ready for it. Deal with it. There's nothing between you and it working other than a little hard work. That's the way it is. Are you going to automate that with a bunch of people running around as experts doing it? Or are you going to automate that with some sort of system that will keep track of your network for you and maintain heuristic information about the network and then know what something odd looks like because unfortunately and I love this company they don't even afford to create another counterpane where we have a bunch of people monitoring traffic all the time. So I like counterpane. Have a question? Two parts for this. As long as the first part isn't bullshit Just the ideas or for the whole network? Yeah, good question. Second part is if they're for the whole network how do you make sure that the scrubbing doesn't break something? Good question. I didn't say this was going to be easy. So it's destined for the whole network the idea is to maintain a network that keeps these synthesized sanitized packets within it, right? That's the first part. So it is for the whole network and how do you maintain some idea of what real traffic looks like? Well once again it has to deal with having some understanding of the network by way of tools to give you this a priori knowledge about how the network looks, how it acts what operating systems on it, what applications are on it things like that. So there is a potential for that? Absolutely. Just as there's a potential for killing someone if you have a gun and don't know how to use it. I mean, all technology whether good, you know however it looks or however it feels can be good or bad depending on how it's used. The idea here is that as I said before I'm not saying this is easy but I am saying that this is how I think we should move forward. So let me see one quick. Wow, I'm at the question section already. You're like what the hell did you even talk about? Good question. See how many shirts I've left. Let's see a few questions. Anne, you want to hand out shirts? No. Here comes Anne, the token Heverworld chick. Dude she's totally elite though. Like she can reassemble out of order fragmented packets with overlaps in her head. So should we let her decide who asked interesting questions and who doesn't or should we let me decide? Okay, so you. The fed guy. Are you or are you just look like a fed? I'm sorry, you had a question. So maybe so maybe so the question was so fucking long I didn't even remember what it was. No, so I think the question was what was the first part? Aren't you putting blinders on by ignoring three of these? So the question was aren't you putting blinders on? See I'm rephrasing it exactly so that I'm not hiding from it. Like other vendors. Put a mic in front of me. See what happens. The question is aren't you putting blinders on by ignoring what might be legitimate recon work on your network? By having something that only identifies active attacks in progress. And what I have to say to that is yes, and you know what, I'm doing it on purpose. I think there are general purpose tools like network flight recorder, TCP dump, snoop. There are tools that absolutely that is their job in life. Maybe snort. That's their job in life, right? To catch everything. Or in some cases to catch everything until you hit 20 megabit and then drop everything. But okay in all cases. But yeah, I'm absolutely ignoring the things that I don't care about. Marty coined a term that I think is very cool and it's called SIDS. And the idea is that you only care about maintaining intrusion detection for a network picture for which you understand the targets on that network. And I think that's obviously the natural evolution of this. Good question. The guy in the hemp B-shirt thing. What is that? Okay. You. That's an excellent question. The question is how do you deal with fragmented packets across this packet scrubbing environment when you have sort of no real idea of what kind of path the packets are going to take. And the answer to that question is the only way you're going to do this and do this right is if you have a system set up where the system communicates in real time. Like Cheswick mentioned this notion of a distributed firewall and what I have to say is that the system will not work if you just put a bunch of islands on the net, right? Not too much. Bruce Sterling who? Never mind. Yeah, so the idea is that these systems have to communicate in real time. They have to communicate with an upstream management console. They have to communicate with the scanner. They have to communicate with the IDS. The idea here is that the IDS, the firewall, the packet scrubber, these sort of things have to be a part of the network infrastructure, right? They can't just be some random ass thing that you bought from some vendor that doesn't tie in with other vendors. They have communicating between these devices. And you know what? I'll even plug us just for a second here. We absolutely plan to release our rules language as open source as well so that other vendors can adopt this real-time communications. Was that a good question? You gave me a shirt, right? Yeah. The found stone action figures? It's funny. Hi, I'm Joel Scambray. She just asked if it was the found stone action figure. Good God. That was the camera. Oh, those stuff. Oh, I see what you're saying. So, correct me if I didn't understand the question. The question I believe was if you use OpenBSD's bridging as you use what was the other portion of that to communicate? Oh, the OpenBSD bridging as you're scrubbing. Yeah, that's a good question. Using OpenBSD's bridging as scrubbing is a really, really, really, really good first step. Unfortunately, things like whisker, things like adding a backspace in a Telnet stream for stream reassembly as you saw maybe from Graham's talk. It's not going to solve problems like that. It's a level of granularity where you're doing active scrubbing on not just the packets themselves but on the content payload. But that's an excellent first step. Did you give him a shirt? That's good. That was a good question. Okay. The guy in the green thing that exploded. Which one? Oh, cool. Orb rules. But I didn't go to the concert because I didn't get any sun. My question is related to Never Hair. It seems to me that the large focus with most IDS systems is on exploits. I agree. I actually have been to your site and read some of the white papers there. However, when you're looking at internal user detection the stuff I care more about is an administrator all of a sudden telling any server that they are. Right. The other problem is related to Do you want a mic if we're going to keep talking? The other issue is with a switch network and with switches it's becoming increasingly difficult to monitor all the traffic that goes across a single switch. It's impossible for us right now. Okay. There's a switch on the bottom. It's not too complicated. Okay. The question was and I believe I'm interpreting this correctly but it is my universe where I'm at center so I'm going to say what I want. The question was people are spending a lot possibly too much time just looking for exploits and not enough time looking for what would be traditionally considered anomalous behavior. When someone's doing something from a system inside that they shouldn't be doing it from and this anomalous behavior should be taken into consideration a lot more and not only that but if it is taken into consideration how in the hell are you going to manage it because of switched environments and the complexity of that. Those are all good questions or comments I think. I do think people are spending an awful lot of time playing the counting game counting how many exploits they each have. Oh look I've got 300 exploits that I check for never mind the fact that 175 of those are freaking username password guesses you know sorry for those vendors that are cringing because I just called bullshit on them but so offensive actually so this brings me to one quick little tirade I'm going to make here which is do you guys have any idea what it's like trying to be a vendor in this space? Everyone is so freaking jaded they've been lied to by vendors they've had vendors tell them what is complete bullshit and so when you come in of course you're like hey how's it going you know we have this thing it does some stuff and it's pretty cool and they're like yeah right prove it and you're like no look I have this model of cool predicate calculus based out whatever prove it and so so then you have a situation where at some point it's okay for a vendor to stand on stage that their you know 46 laptop does 148,000 packets a second and you're like what is that the fucking magic laptop you have there chief did I I'm sorry is there an e10,000 under the under the stage the hell are you talking about 148,000 dude your 46 can't even move a pointer through memory across 148,000 structures in a second shut up I'm sorry did I even answer the question okay so so I think yeah well thank god we have a good attorney right yeah so I totally agree you know even though I get up here and I joke and I have a lot of fun it is DEF CON so deal with it but I totally agree I think people spend I think people spend an awful lot of time thinking about exploits and they should be really thinking about their network and this concept that I threw up of domain specificity it's the idea that you need to know your network before you know how to protect it right how can you protect your network if you don't even know what's on it I mean the idea of coming in with an IDS when you don't understand your network and just turning it on and saying well you know it's not really doing what I want is ridiculous right I mean the concept here is you need visibility on your network before you can before you can even add an IDS so once you do add an IDS or once you do add this packet scrubber or once you do add some sort of reactive system then you have a great ability right you can start grabbing information and maintaining some sort of map of everything that's happened and so you know exactly as you said you know if some crazy person in marketing who's never run SNMP before is suddenly firing up the latest like ADM scanner that does SNMP you know grinding across public and privates you know you know if they're doing that right because you have some understanding of what's going on in your network so I totally agree people spend way too much time thinking about exploits not nearly enough time thinking about how can I get an understanding of my network that makes sense how many shirts do we have left how much time do I have okay cool I got plenty of time to rant oh hang on I don't know if I don't know if you get to answer a question oh okay so just for those of you don't know this is the guy that I just call bullshit on oh p2 400 single processor okay so you're not like forcing processor affinity or anything crazy like that okay it's got a 32 bit onboard Nick do you want a mic so this is the fun stuff where like the vendors actually come up and start like you know duking it out so for those of you in the audience take a picture now it'll never happen again the next time one of us will be dead it'll be Nick tomorrow morning at dawn so anyway one of the latest developments we've done with our ideas is credit a custom hardware driver this notebook happens to have the one card that we support which is a 3C905C from 3com so it's basically what he said earlier hang on the hardware guy what was that it's 3C905C I'm sorry okay and what was your driver for that okay the issue with this car is that we wrote our custom driver just like you guys are doing your kernel mods we wrote a custom hardware driver we bypassed the operating system completely so anyway this is all theory like you know this is like crap right so what I'd like to do is to ship you guys this notebook and have you run the test that you want to run whatever you want to run and then publish the results I'd love to do that luckily we're in the bay area so I can like just send it across the bay send you guys the notebook if so I just I just want you guys to know obviously I have some respect for network eyes so I wouldn't be blowing them so much crap right if I didn't like them I'd just ignore them and also I mean we're a fair company I haven't come up here and said anything totally crazy I totally would be willing to take you up on that that's awesome and I'm big enough that if I publish the results if I find out that the results are true and that Robert's right I'm on our front fucking page no just well just posted a security focus or something like that so and and we'll maybe even get security focus to link to it or something yeah absolutely absolutely absolutely cool thanks man I can give a team now it's got provide good information no problem I think that absolutely one more thing on this t-shirt is I came from Network Associates from Network General which started the original Cybercott Monitor Project and they got actually Cybercott Monitor 1.0 was actually licensed from Wheel Group so then Bill Larson CEO of Network Associates bought out Network General and then Cisco bought out Wheel Group and those two John Chambers and Bill Larson got into like a little tiff and they basically had to pull the Cybercott Monitor 1.0 product off the market where we're watching your network or who's watching your network campaign came out so kind of screwed it meant that they weren't watching your network so then like the SNI folks got together some haystack people with the sniffer drivers they sort of clued together Cybercott Monitor 2.0 which I've never seen in real life anywhere I don't know if it really exists so being the founder of Network Eyes do you want to fuck me I'm lead stick what a great sport you guys should just give him money because he's such a good sport about it I love that we have two shirts left how many shirts we have left okay we have three two three we have two shirts left two more questions uh okay that guy looks like he's going to ask something hard do you think that's that's a really really good question I personally believe that today right now that the IDS technology needs its own box I think that there are too many demands on what has to happen when a packet goes from the kernel to the decode to the fragmentation reassembly to the detection engine for it not to be on its own box now I don't think that that's going to be true in the future excuse me too much beer I think that in the future yeah like I said I got like two hours of sleep last night look at the monkey um monkey yeah I do think in the future you'll be able to do something cool like put a daughter card on maybe you know a Cisco or you'll be able to put some sort of blade inside of some sort of chassis and do it all in the blade when things move toward ASIC that but right now man we are so in our infancy we have people claiming all kinds of things and I've never in real life seen an IDS with all the rules loaded perform at above no matter what the hardware is perform it above like 20 megabit per second with one exception and that exception is freeware I mean snort is the only thing I've ever seen go above 40 megabit sustained good question so if anyone wants to help you know Marty write a better faster detection engine I'm sure he'd I think he'd be for that but at this point I mean it's like you know you're running the race and you look back and you go man all those guys with money sure are fat and slow alright hit me yeah you that means ask a question doing a mic so the question is that most systems today don't deal with spoofed attacks very well and do I have an idea of how to deal with them more appropriately see this is going to be where I sound like a broken record you're like too late the idea here is if you know once again if you know what the traffic on your network looks like and you have some understanding of what normal traffic looks like and you model normal traffic then there's one way to guard against spoofed attacks the other thing you have to do is you have to just do what a lot of stateful inspection firewalls are doing now and that's just maintain some sort of rational state about how connections are coming in I will bet you money in the form of this one dollar thing that says fuck me I'm leading that still are checking to give you a much better explanation of this than I can my idea is fairly simple I'm a straight forward guy I think maintaining state on the network having a really good understanding of what connections look like and not doing stupid things like ignoring checksums ignoring packet IDs I mean if you just keep a rational idea of everything on the network I don't think you're going to have nearly as many spoofing problems as people have today so good question so I'm out of shirts but I do have one pin so yeah you've had it for a while what's up good question his question was basically I've listened to vendors before and BS when is this all happening am I being fair I mean probably putting orange in your mouth but they're mine worth so as I said before the the concept of doing high speed intrusion detection is while not exactly completed it's not vaporware we have it in beta I plan on releasing sources to the open BSD source tree to do high speed network interaction our products already do interoperability we're releasing like within the next few months we're releasing an open source rules based language that allows you to communicate with systems in real time so we're talking about 60 to 90 days away from an open source rules based language I also plan on making the modifications that I'm talking about about 2100 lines of code I plan on making those modifications to the open BSD kernel to allow some you know maybe not super robust but certainly some first step packet scrubbing to occur so I think by November 11th which is the release of open BSD 2.8 you're going to see an awful lot of this technology in the stock open BSD distribution yeah in the back good question the question was basically if anyone didn't didn't hear it although he's in the back there I'm sure you all heard if I did the question is basically if you do active packet scrubbing you're in a position where all packets have to go through you so you have this real problem of being susceptible to distributed and out of service tax things like that you're going to have the exact same problem that you have with a Cisco router Cisco routers have about 32 megaprams sometimes more but you have a situation where you have to maintain state on that Cisco router and the Cisco router itself is actually in my opinion a lot less robust when it comes to maintaining some rational understanding of what's going through the network and maintaining some rational idea of how to recover with a distributed and out of service I mean let me give you an example I mean you can put a PIX on a network and I'm not just bagging on PIX it's a lot of stuff but you can put a PIX on a network segment and no matter how you configure it if you run in-map if you run a send scan a fragment in send scan from in-map either through the PIX or into a network that passes through the PIX that doesn't exist and the PIX has to maintain all of that state at some point it's going to fall apart just like everything else the idea here is with active packet scrubbing you at least you at least know what you're getting into you at least know that you're getting into a situation where if packets start going crazy like someone's running in-map to host that don't exist because you have this understanding of the network you can at least drop those connections in favor of ones that aren't that aren't irrational so I think it's a lot it's a lot more rational approach to the problem okay am I time up do you want to give that to that guy that's a really good part okay yeah we got in the back you gotta fuck me I'm a lead sticker or pin that was a good question sorry right so the comment was Cisco changes their filter list actively based on certain types of signatures I totally agree they change the access control list I absolutely agree that's not what I'm talking about what I'm talking about is scrubbing the packets and the packet content and the packet header so that you sanitize things that go into the network so that you guarantee that everything that comes into the network is sanitized and I agree that Cisco does some of this but what Cisco certainly does not do is maintain an active understanding of the internal and external network segments that are connected to and modify whether or not they're holding packets or modify how packets look or modify packet destinations things like that based on a heuristic understanding of the network okay and one more question then I'm out of here um yeah go ahead I hope so question was do you see real-time scanner moving toward integration with host-based systems you know I absolutely hope so I hope that people take the rules language that we're proposing and modify it and add to it and create a consortium and spend four you know years arguing about how it should be set up and then in the meantime rational vendors do what everyone else does which is just implement the damn thing and get to a point where we're actually maintaining visibility between the host's understanding of what's happening on the host, the network's understanding of what's happening on the network and the IDS's understanding of what's happening on the network from you know a historical model so that's it for me thanks guys you've been wonderful