IDS mailing list archives
RE: Intrusion Prevention Systems
From: "shannong" <shannong () texas net>
Date: Mon, 4 Nov 2002 20:32:43 -0600
A more legitimate name would be Intrusion Mitigation Systems. Surely, none of us operate under the guise that any of these systems can prevent intrusion to a system/network. Rather, they can stop the easy, obvious ones. It seems were calling an reactive IDS and IPS. With that in mind,the techonology is definitely immature and unproven especially with respect to network based solutions. The problem isn't the reactive measures that "prevent intrusions", but rather it's the IDS engine that runs behind it that is the problem. I still consider IDS an immature technology. Stopping something known to be "bad" is fairly "easy" with alogrithms and heuristics. The hard part is determing what's "bad". IDSs are not very effective at this yet. False positives make up a major part of the IDS events on any system I've seen. Sure, you can tune over a long period of time, but you'll still spend hours a day if you track down every alert. "Over tune", and you'll miss real events worth investigating. It is very easy to generate undesirable responses from reactive IDS solutions using spoofing, etc. to block legitimate traffic. If an organization considers the risk of preventing legitimate traffic acceptable, then an IPS is worth looking into. Most thoughts here are shared with a network based solution in mind. Host based IPS solutions are more palatable because they represent less threat to preventing legitimate traffic. Or at least limit the problem to a single host rather than to an entire network at large. -Shannon -----Original Message----- From: Andrew Plato [mailto:aplato () anitian com] Sent: Monday, October 28, 2002 11:40 AM To: focus-ids () securityfocus com Cc: roesch () sourcefire com Subject: Intrusion Prevention Systems Martin Roesch wrote...
Don't get me wrong, I'm not saying it's not a good idea, it's an excellent idea. My point is that the marketing hype that's coming out
of the IPS vendors at this point is overblown in my opinion and I haven't seen much cautionary introspection applied to the concept yet,
so I thought I'd chime in. The deployed base of network intrusion prevention systems in production environments today is very small. While the concept has a lot of merit, it's unproven as yet and there are significant technical hurdles (robustness, capability, etc) as
well
as a raft of political hurdles that have not been addressed in any
sort
of empirical manner yet with a deployed base of happy users.
I want to respond to a few things you said, Martin. 1. Intrusion prevention is hardly a "new" thing. I keep hearing people say how Hogwash is this amazing new thing. In reality, BlackICE Guard (now called RealSecure Guard), which is the exact same type of product, pre-dates Hogwash and all the other IPS products by almost 3 years. I was building and deploying Guard units when Hogwash was still an interesting idea being discussed on Snort forums. Guard is based on Network ICE's BlackICE which is, as we all know, the core of ISS's RealSecure NIDS. I say this not in deference to Hogwash, but to point out that IPS is not a new idea. You could even argue that some firewalls, like WatchGuards, have rudimentary IPS features as they can auto-block users who attempt to connect using spoofed IPs or other known (albeit lame) hacking tactics. 2. IPS is hardly a "test lab device" or unproven technology. I have Guard units deployed all over the Pacific Northwest protecting critical mainframes, DMZs, and even some Linux clusters. These units are like tanks with practically zero down-time and exceptional performance. In one case, a Guard unit is defending a particular client's credit card system - and it has blocked more script kiddies and hackers than I can well count. It is integrated with a comprehensive host-based IDS and some other NIDS and provides exceptional insight and capability for this customer. 3.However, I do agree with you that marketing can often pervert the true value and capability of these systems. ISS and Network ICE have had a hard time positioning and selling Guard units because they are difficult to understand and hard to deploy. I have had success with them mainly because I sell them as appliance type units and I have special tweaks to make them really scream. Furthermore, sales folks like to sell these as "all-in-one" high margin, high-price items. Ideally, IPS should complement and integrate with a comprehensive IDS offering and should never replace or supplant a traditional firewall.
Sourcefire *is* working on IPS too, both with things like in-line mode
operation and firewall interoperability through mechanisms like OPSEC.
've seen a lot of people advocating the widespread replacement of IDS with IPS in the last couple months and I think that it's way too early
to make that leap.
I agree that you cannot replace IDS with IPS. IPS is best seen as a "special use" type solution. I pitch Guard units to companies that have special areas that need exceptional defense. The most common application is as a last-defense layer in front of mainframes or UNIX clusters. As for OPSEC interoperability - RealSecure has had this for eons. And honestly, I don't think I have ever seen anybody use it. That doesn't mean it doesn't work. But its hard to implement unless there is a very organized and well-planned IDS roll-out methodology used. I also have some real reservations about any product automatically rewriting firewall rules. Better to have set firewall rules and then build in distributed, compartmentalized protection zones behind that firewall. IPS and more firewalls are better suited to this role than rewriting firewall rules at the perimeter.
Do you think there's a conflict of interest here? Am I not allowed to
have reservations about the technology even though I work on it? A
lot
of people would debate the value of having the firewall reconfigured
by
a NIDS, but people (like me) who work for companies that have features
like that as requirements for the market they serve have to work
within
the market reality even though they may have reservations about the value of the technology itself. Would you say that the technology is completely, absolutely ready for prime time in your opinion as an evaluator of the *engineering* pros and cons of such a technology?
Think? I KNOW the technology is ready for prime time. I am sitting on a client base of highly satisfied customers using and enjoying the benefits on IPS devices. We've caught everything from nosy users to corrupt software at a HUGE national financial company with these devices. However, IPS isn't for the faint of heart. It is a tough implementation. The tuning and use of such systems can be very dicey. And most people fall apart at the first dropped packet. There is a challenging integration process, but done slowly and done properly, it can work. And this isn't theory I am spouting here, this is my own personal experience.
Can you speak to those? I notice you guys at Latis use Snort as your supported IDS technology, how does your integrated solution fare when Snort has gone into self-preservation mode due to its memory cap being
hit in its stateful inspection subsystems? How about in the same situation for the IP defragmentation subsystem? Does it dynamically reallocate the memcap based on the available free memory on the system
or does it thrash? We had to get to *extremely* high loads in our
test
lab traffic generators (~1M concurrent sessions) on our gigabit
product
before we saw the degenerate thrashing situation Snort would descend into when the memory caps were hit. How are you guys handling that?
I'll be honest, I had a very hard time getting a Hogwash system to work at all. However, I will admit that I am irreparably biased by my BlackICE experience. So, when things don't look like BlackICE, I get itchy. I spent a good week or more trying to get the system running. When I did, I loaded up the segment (a fully switched 10/100 segment) to about 75% utilization and my unit was really struggling to keep up. My tests were hardly scientific or reliable since I was mostly just playing with the system. However, Guard systems I use have no problem handing fairly heavily loaded 100 Mbps segments. Gigabit guard is possible using load balancers. You can run multiple Guards through a TopLayer IDS balancer and then achieve a true Gigabit Guard unit. So far there is no single Gigabit Guard solution.
I say it's not 100% ready for prime time because it hasn't been deployed widely enough to have any sort of empirical evidence that it is and in my opinion as an *engineer* the case still has to be made. Once there are a few thousand NIPSes out there saving the bacon of large enterprises and that can be documented, I'll be a lot more impressed. When Sourcefire finally releases a solution it'll be the best technology that we can come up with (given all the usual constraints) and hopefully it'll be ready for prime time, but we'll need to see successful deployments of it before I'm going to convert
to
being an IPS advocate.
Well, if you need to see some successful IPS deployments, come out to Seattle or Portland and I would be happy to walk you through one of our Guard deployments (with the customer's approval of course) and show you how they're working. One of my Guard units has been on-line consistently since March of 2000 with only occasional reboots and software updates. Okay - I know what you're thinking. "Oh, you're just a vendor of these things and you'll say anything to sell them," Sure, I want to sell them. I need to pay a mortgage just like everybody. However, unlike most resellers who just shove products at their customers and mindlessly bark marketing propaganda, my firm has always tried to sell stuff we KNEW worked. Its why I won't sell some unnamed technologies. I know they won't work and I know they are BS. (Besides, I sell, or at least try to sell, SourceFire!) Guard's work, and I can prove it. Not with marketing BS, but real-world trials. Lastly, I think its great you are openly questioning these technologies. They deserve questioning and debate. Its a testament to Sourcefire and yourself that you can appreciate market desires but also strive to openly discuss their real value. If more security firms were more open about their ideas and theories for technologies, they might be able to forge better technologies overall and ultimately satisfy market desires more appropriately. Andrew Plato, CISSP President / Principal Consultant Anitian Corporation www.anitian.com
Current thread:
- RE: Intrusion Prevention Systems shannong (Nov 05)
- <Possible follow-ups>
- RE: Intrusion Prevention Systems Dominique Brezinski (Nov 07)