Re: Corporate H/N IPS

[Crispin Cowan <crispin () wirex com>]

Talisker wrote:

> Crispin
> I'm not exactly in agreement with many of your points
No worries; that's what forums like this are for :)

> > EXACTLY like a firewall, only they look at higher level aplication
> > protocols than classic packet filtering firewalls.
> >    
> I for one would not entrust my perimeter defense to a NIPS, however I may
> consider using a NIPS to look for intrusion signatures on those packets that
> have been passed by the firewall.  I feel they complement each other very
> well.
Neither would I. I'm not saying that products marketed as NIPS make 
*good* firewalls. In particular, they are incomplete firewalls, because 
they don't have the classical capability to block on IPs, ports, & such. 
Conversely, one could also say that classical packet filters are also 
incomplete, because they don't look at high level application traffic. 
The composition of the two adds value to make a more complete firewall 
system.

None of which is new: ancient firewall design calls for an outer 
firewall defend your DMZ, and an inner firewall to defend your LAN. 
These firewalls would often be of different design, e.g. a packet filter 
on the outside and a proxy firewall on the inside.

To be clear, my claim is not that NIPS suck. My complaint is that the 
claim that NIPS is a bold new concept is crap, and that NIPS should 
properly be understood as an incremental improvement in firewall technology.

> I do see HIPS as different from Secure OS's they are more widely
> available to all, deployable with minimal impact on an existing network and
> enterprise aware out of the box.
Again, this is an incremental improvement on an old concept. A retro-fit 
security enhancement package fitted onto an existing OS to make it a 
secure OS. Olde schoole secure OS people will rant about how much less 
cost-effective it is to retro-fit security, and they may be right, but 
that's what it is. We built one (Immunix) because I thought it was 
interesting, and because the economics of the cost of wholesale 
replacement of operating systems dwarf the cost benefits of designing in 
security vs. retrofitting it.

> > True: "intrusion detection" is what you call it when your detector is so
> > slow or imprecise that it cannot be used for prevention.
> >    
> IDS can be a little hit and miss, I've had to switch some off because they
> were so inadequate.  However, I have also used others to good effect they
> have saved my network on many occasions.
Again, I'm not saying that IDS has no value, just that its value needs 
to be understood. Both Intrusion Preventers and Intrusion Detectors are 
looking at traffic/operations, and trying to distinguish good from bad. 
If the distinction can be done precisely (nearly zero false positives) 
and in real time (before the traffic/operation completes) then it can be 
used for access control. If the distinction is heuristic (has a real 
false positive rate) or is slow (makes the distinction long after the 
traffic/operation completes) then you use it for detection instead of 
prevention.

The trade off for detection is that detectors can detect much more 
subtle intrusions. They can infer attacks comprised of legitimate 
operations that would have passed access control. They can spend more 
time on analysis. This is why you have detection in addition to your 
access controls/prevention stuff.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
                            Just say ".Nyet"

Attachment: _bin
Description: