RE: Intrusion Prevention Systems

["shannong" <shannong () texas net>]

A more legitimate name would be Intrusion Mitigation Systems. Surely,
none of us operate under the guise that any of these systems can prevent
intrusion to a system/network.  Rather, they can stop the easy, obvious
ones.

It seems were calling an reactive IDS and IPS.  With that in mind,the
techonology is definitely immature and unproven especially with respect
to network based solutions.  The problem isn't the reactive measures
that "prevent intrusions", but rather it's the IDS engine that runs
behind it that is the problem.  I still consider IDS an immature
technology.  

Stopping something known to be "bad" is fairly "easy" with alogrithms
and heuristics. The hard part is determing what's "bad".  IDSs are not
very effective at this yet.  False positives make up a major part of the
IDS events on any system I've seen.  Sure, you can tune over a long
period of time, but you'll still spend hours a day if you track down
every alert. "Over tune", and you'll miss real events worth
investigating. It is very easy to generate undesirable responses from
reactive IDS solutions using spoofing, etc. to block legitimate traffic.

If an organization considers the risk of preventing legitimate traffic
acceptable, then an IPS is worth looking into. 

Most thoughts here are shared with a network based solution in mind.
Host based IPS solutions are more palatable because they represent less
threat to preventing legitimate traffic.  Or at least limit the problem
to a single host rather than to an entire network at large.

-Shannon

-----Original Message-----
From: Andrew Plato [mailto:aplato () anitian com] 
Sent: Monday, October 28, 2002 11:40 AM
To: focus-ids () securityfocus com
Cc: roesch () sourcefire com
Subject: Intrusion Prevention Systems


Martin Roesch wrote...

> Don't get me wrong, I'm not saying it's not a good idea, it's an 
> excellent idea.  My point is that the marketing hype that's coming out

> of the IPS vendors at this point is overblown in my opinion and I 
> haven't seen much cautionary introspection applied to the concept yet,

> so I thought I'd chime in.  The deployed base of network intrusion 
> prevention systems in production environments today is very small.   
> While the concept has a lot of merit, it's unproven as yet and there 
> are significant technical hurdles (robustness, capability, etc) as
well 
> as a raft of political hurdles that have not been addressed in any
sort 
> of empirical manner yet with a deployed base of happy users.

I want to respond to a few things you said, Martin. 

1. Intrusion prevention is hardly a "new" thing. I keep hearing people
say how Hogwash is this amazing new thing. In reality, BlackICE Guard
(now called RealSecure Guard), 
which is the exact same type of product, pre-dates Hogwash and all the
other IPS products by almost 3 years.  I was building and deploying
Guard units when Hogwash was still 
an interesting idea being discussed on Snort forums. Guard is based on
Network ICE's 
BlackICE which is, as we all know, the core of ISS's RealSecure NIDS. 

I say this not in deference to Hogwash, but to point out that IPS is not
a new idea. You could even argue that some firewalls, like WatchGuards,
have rudimentary IPS features as 
they can auto-block users who attempt to connect using spoofed IPs or
other known (albeit lame) hacking tactics. 

2. IPS is hardly a "test lab device" or unproven technology. I have
Guard units deployed 
all over the Pacific Northwest protecting critical mainframes, DMZs, and
even some Linux clusters. These units are like tanks with practically
zero down-time and exceptional performance. In 
one case, a Guard unit is defending a particular client's credit card
system - and it has 
blocked more script kiddies and hackers than I can well count. It is
integrated with a comprehensive host-based IDS and some other NIDS and
provides exceptional insight and capability for this customer. 

3.However, I do agree with you that marketing can often pervert the true
value and capability of 
these systems. ISS and Network ICE have had a hard time positioning and
selling Guard units because they are difficult to understand and hard to
deploy. I have had success with them mainly because I sell them as
appliance type units and I have special tweaks to make them really
scream. 

Furthermore, sales folks like to sell these as "all-in-one" high margin,
high-price items. Ideally, IPS should complement and integrate with a
comprehensive IDS offering and should never replace or supplant a
traditional firewall. 

> Sourcefire *is* working on IPS too, both with things like in-line mode

> operation and firewall interoperability through mechanisms like OPSEC.

> 've seen a lot of people advocating the widespread replacement of IDS 
> with IPS in the last couple months and I think that it's way too early

> to make that leap.

I agree that you cannot replace IDS with IPS. IPS is best seen as a
"special use" type solution. I pitch Guard units to companies that have
special areas that need exceptional defense. The most common application
is as a last-defense layer in front of mainframes or UNIX clusters. 

As for OPSEC interoperability - RealSecure has had this for eons. And
honestly, I don't think I have ever seen anybody use it. That doesn't
mean it doesn't work. But its hard to implement unless there is a very
organized and well-planned IDS roll-out methodology used. 

I also have some real reservations about any product automatically
rewriting firewall rules. Better to have set firewall rules and then
build in distributed, compartmentalized protection zones behind that
firewall. IPS and more firewalls are better suited to this role than
rewriting firewall rules at the perimeter. 

> Do you think there's a conflict of interest here?  Am I not allowed to

> have reservations about the technology even though I work on it?  A
lot 
> of people would debate the value of having the firewall reconfigured
by 
> a NIDS, but people (like me) who work for companies that have features

> like that as requirements for the market they serve have to work
within 
> the market reality even though they may have reservations about the 
> value of the technology itself.  Would you say that the technology is 
> completely, absolutely ready for prime time in your opinion as an 
> evaluator of the *engineering* pros and cons of such a technology?

Think?  I KNOW the technology is ready for prime time. I am sitting on a
client base of highly satisfied customers using and enjoying the
benefits on IPS devices. We've caught everything from nosy users to
corrupt software at a HUGE national financial company with these
devices.

However, IPS isn't for the faint of heart. It is a tough implementation.
The tuning and use of such systems can be very dicey. And most people
fall apart at the first dropped packet. There is a challenging
integration process, but done slowly and done properly, it can work. And
this isn't theory I am spouting here, this is my own personal
experience. 

> Can
> you speak to those?  I notice you guys at Latis use Snort as your
> supported IDS technology, how does your integrated solution fare when 
> Snort has gone into self-preservation mode due to its memory cap being

> hit in its stateful inspection subsystems?  How about in the same 
> situation for the IP defragmentation subsystem?  Does it dynamically 
> reallocate the memcap based on the available free memory on the system

> or does it thrash?  We had to get to *extremely* high loads in our
test 
> lab traffic generators (~1M concurrent sessions) on our gigabit
product 
> before we saw the degenerate thrashing situation Snort would descend 
> into when the memory caps were hit.  How are you guys handling that?

I'll be honest, I had a very hard time getting a Hogwash system to work
at all. However, I will admit that I am irreparably biased by my
BlackICE experience. So, when things don't look like BlackICE, I get
itchy. I spent a good week or more trying to get the system running.
When I did, I loaded up the segment (a fully switched 10/100 segment) to

about 75% utilization and my unit was really struggling to keep up. My
tests were hardly scientific or reliable since I was mostly just playing
with the system. 

However, Guard systems I use have no problem handing fairly heavily
loaded 100 Mbps segments. Gigabit guard is possible using load
balancers. You can run multiple Guards 
through a TopLayer IDS balancer and then achieve a true Gigabit Guard
unit. So far there is 
no single Gigabit Guard solution. 

> I say it's not 100% ready for prime time because it hasn't been 
> deployed widely enough to have any sort of empirical evidence that it 
> is and in my opinion as an *engineer* the case still has to be made.
> Once there are a few thousand NIPSes out there saving the bacon of 
> large enterprises and that can be documented, I'll be a lot more 
> impressed.  When Sourcefire finally releases a solution it'll be the 
> best technology that we can come up with (given all the usual 
> constraints) and hopefully it'll be ready for prime time, but we'll 
> need to see successful deployments of it before I'm going to convert
to 
> being an IPS advocate.

Well, if you need to see some successful IPS deployments, come out to
Seattle or Portland and I would be happy to walk you through one of our
Guard deployments (with the customer's approval of course) and show you
how they're working. 

One of my Guard units has been on-line consistently since March of 2000
with only occasional reboots and software updates. 

Okay - I know what you're thinking. "Oh, you're just a vendor of these
things and you'll say anything to sell them," Sure, I want to sell them.
I need to pay a mortgage just like everybody. 
However, unlike most resellers who just shove products at their
customers and mindlessly 
bark marketing propaganda, my firm has always tried to sell stuff we
KNEW worked. Its why I won't sell some unnamed technologies. I know they
won't work and I know they are BS. (Besides, I sell, or at least try to
sell, SourceFire!) Guard's work, and I can 
prove it. Not with marketing BS, but real-world trials. 

Lastly, I think its great you are openly questioning these technologies.
They deserve questioning and debate. Its a testament to Sourcefire and
yourself that you can appreciate market desires 
but also strive to openly discuss their real value. If more security
firms were more open about their ideas and theories for technologies,
they might be able to forge better technologies overall and ultimately
satisfy market desires more appropriately. 

Andrew Plato, CISSP 
President / Principal Consultant
Anitian Corporation
www.anitian.com