IDS mailing list archives
Re: Changes in IDS Companies?
From: Aaron Turner <aturner () pobox com>
Date: Wed, 16 Oct 2002 19:56:37 -0700
On Wed, Oct 16, 2002 at 05:46:54PM -0400, Martin Roesch wrote:
Network intrusion prevention systems are also relatively untested and still first generation. The Hogwash wrapper for Snort (and the in-line mode being rolled into Snort) are both good technologies and intrusion prevention in general is a good idea, but the distance between "good idea" and a concept that's ready for larger market acceptance is a pretty wide gap.
I disagree. The technology really isn't first-gen. NIDS detect attacks and firewalls drop packets. NIPS is just a firewall which drops packets based on their threat level rather than just IP address/port. While it's a different concept and the actual implimentations are 1st gen, the technology behind both are reasonably developed. Market acceptance however is an issue (though IMHO for a very different reason which I'll explain later).
One of the things that's been bothering me about the rush to build and deploy Network Intrusion Prevention Systems (NIPS) lately is the complete lack of discussion about the downsides of such technologies. My consternation falls into a couple categories that deal with the failure modes of NIPS and the political issues associated with deploying this kind of technology.
<snip> A lot of the problems you're talking about right now are the same problems that firewalls have faced in the past. What if the firewall get's DoS'd? What if it crashes? Does it fail open or close? Nothing new here. Agreed, there are issues with NIPS technology if it's deployed in a way that doesn't maintain the network availablity, but they're not issues that haven't been solved for already.
anomaly detection (and several other tricks). The problem is that *no* technology is capable of picking up every possible attack, a mix of technologies is often the best way to go to provide effective coverage of the security picture on a given network. With this in mind, the basic question becomes "how do we know if our NIPS misses an attack?" If the NIPS misses an attack, we better have a pretty good NIDS/HIDS in place to let us know what happened.
This "basic question" is the same question everyone has of every NIDS/HIDS. If Hogwash uses the Snort engine, why would it fail to find an attack that Snort finds? And just like some companies deploy a variety of NIDS solutions for full coverage, they can do the same with NIPS. I would argue that by being inline, the chances of this happening are *far* less. When a NIPS drops packets because of a bug or it's overloaded, it's obvious, when a NIDS (or the switch's SPAN port) drops packets, it's a lot harder to tell. Of course, just as the more mature NIDS solutions (such as Snort) are incorporating a variety of detection solutions (sigs, protocol analysis, etc) so can too NIPS. Personally, I think that's the critical issue (more on this later).
How about failure modes of the technology itself? It's been shown repeatedly in tests that NIDS technology can be notoriously unstable in a number of scenarios, what happens if that instability is translated to an in-line device? We're either going to have a fail closed scenario (protected network is DoS'd) or a fail open scenario in which the protected network becomes unprotected, possibly for a protracted period of time. In the first scenario the failure mode will make itself apparent very rapidly, but in the second a NIDS/HIDS is going to be required to record and inform the security/admin staff about the problem as well as attacks during the lapse.
My take on it is that these issues will be handled the same way with NIPS as it was for firewalls (which also went through a period of instability). People will be using H/A & load-balancing solutions (either hardware or software) to provide the reliability necessary to meet their SLA's and performance to fend off attacks. Later on, things will move from software to hardware, to get added performance/reliability just like firewalls.
There's also the political battle of deploying another in-line technology in the network, etc. that will be fought anytime one of these is deployed, although I think that fight will happen in the enterprise and not in the mid-tier market.
I think this political battle is going away. Companies are realizing that a firewall isn't enough. NIDS are great, but they don't solve the basic problem of, "Now that I've been rooted now I've got to pull people from their current projects to rebuild the servers." Since NIPS takes a pro-active rather than reactive methodology, it solves for this problem like no other (at least current) solution can.
I'm an advocate of a layered solution. Firewalls, NIDS/HIDS, authentication, crypto, etc. all continue to have their places on the network. I think that host-based IPS will see quicker acceptance in the market than NIPS due to the lower "price of deployment/failure" associated with the host-based technologies, they're more like AV systems in their positioning as an end-host oriented security mechanism. I think that there will definitely be convergence of the
HIDS/HIPS is a *lot* more work to maintain then AV. Nobody tunes their AV solution, but people spend a lot of time tuning their *IDS solution, and frankly, most of the management tools so far suck. Compare Checkpoint's 3 tier management solution to the IDS solutions out there and you'll understand what I mean. And again, put a few load balancers around it (even use your existing firewall L/B's) or install something like StoneBeat and failure issue becomes moot.
firewall and the NIDS, but I think it's early to declare these systems as the next generation, the political battle will have to be fought and the operational limitations of the technologies will have to be found before the final place of IPS in the network security "ecosystem" will be known.
The political battle you mention IMHO is missplaced. The problem with NIPS and NIDS in general is accuracy. Since NIPS make policy decisions based on questionably accurate methodologies people aren't going to want to actually use the preventive measures available. Just think about the problems people would experiance if firewalls regularly accidently got port numbers or IP addresses wrong. Nobody is going to drop packets if they're not sure it's dropping the right packets. And if you're not going to drop packets, why have an NIPS? Of course some people deploy NIDS with detection accuracy levels that are nearly criminal, so what do I know? -- Aaron Turner <aturner at pobox.com|synfin.net> http://synfin.net/aturner They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery.
Attachment:
_bin
Description:
Current thread:
- Changes in IDS Companies? Samuel Cure (Oct 14)
- <Possible follow-ups>
- RE: Changes in IDS Companies? Avi Chesla (Oct 15)
- Re: Changes in IDS Companies? Martin Roesch (Oct 16)
- Re: Changes in IDS Companies? scottw (Oct 16)
- Re: Changes in IDS Companies? Aaron Turner (Oct 16)
- RE: Changes in IDS Companies? Rob Shein (Oct 23)
- Re: Changes in IDS Companies? Aaron Turner (Oct 23)
- Re: Changes in IDS Companies? Martin Roesch (Oct 16)
- RE: Changes in IDS Companies? J. Foobar (Oct 16)
- RE: Changes in IDS Companies? Karl Lynn (Oct 16)
- RE: Changes in IDS Companies? Chris Petersen (Oct 16)
- Re: Changes in IDS Companies? roy lo (Oct 16)
- RE: Changes in IDS Companies? Oliver Petruzel (Oct 17)
- RE: Changes in IDS Companies? Mike Shaw (Oct 18)
- Re: Changes in IDS Companies? Frank Knobbe (Oct 18)
- Re: Changes in IDS Companies? Raistlin (Oct 31)