RE: [Securityfocus-focus-ids] IDS/IPS Value

["Remko Lodder" <remko () elvandar org>]

Hi,

Read the text, made my opinion clear, correct me if i am wrong :)
comments inline

--

Kind regards,

Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl Dutch community for helping newcomers on the
hackerscene

mrtg.grunn.org Dutch mirror of MRTG

-----Oorspronkelijk bericht-----
Van: securityfocus-focus-ids-bounces () lists elvandar org
[mailto:securityfocus-focus-ids-bounces () lists elvandar org]Namens Chuck
Jenson
Verzonden: dinsdag 24 februari 2004 21:05
Aan: focus-ids () securityfocus com
Onderwerp: [Securityfocus-focus-ids] IDS/IPS Value


I don't know if this horse has been beaten to death yet so I will get out my
stick:

First of all, I work for NAI so I have to warn you I'm pro IPS.  Knowing
that:

I read all of these posts (Is IDS/IPS Worthless?) and either I'm missing the
point or have incredible insight, but it seems to me that the IDS is
strictly an information gathering tool for you to tune your firewalls (Host
or Network Based).

===> Untrue, http traffic is most of the times passed => cannot tune your
firewall for
     global http access. But you can see, hey an perl execute attempt, damn
it succeeded
     lets upgrade our OS since it's nearly 2 years old....


 Using an airplane analogy this time, IDS is like the
black box on the plane, it didn't stop that crash, but it can help you keep
the next plane from crashing in the same manner.
==> You can see bogus traffic, and prevent the crash if you are on time....
    Since it can take a scan and some other predefined stuff before the
    launch .. you are able to react on it..

IPS is more like the stall sensor, it warns you at first, but then attempts
to take corrective action.

==> IF it's defined.

The problem lies in when the sensor thinks there is a stall when there
really isn't (False Positives).

> From my experience at NAI (only since November mind you), my belief is that
IPS has to be an evolution of the IDS solutions, you can prevent what you
can't detect.

==> IDS/IPS both rely on Signatures, so a hacker needs to write them (no
other persons
since they might not know systems indepth, perhaps even crackers ..) IPS is
another form
of IDS in my opinion, IDS can take action upon signatures, so does IPS.


 Right now there is no single solution that fixes everything,
but you can put together a combination of HIPS, NIPS, AV and AntiSpam to
make your network tough on the inside and out.  It sure ain't plug n play
either!  I'm in the process of trying to create a course in IPS
methodologies and unless you have more money than Trump, you have to make
some serious decisions on what, when and where to protect.

With all that said, I would like to solicit your opinions on how to get the
best bang for the "buck" on IPS solutions.  I'm not looking for product
references, but things like why would you put a HIPS solution in one part of
the network instead of NIPS?  Or is AV & AS good enough in some places?
Would you use HIPS or NIPS to protect yourself from internal attackers?  Be
warned, if it's good, I will steal it, reference you and teach as many
people as I can about it<Grin>.

==> :)

Cheers.

Thanks!
Chuck Jenson, MCSE, CCNA, CISSP and all that other Cr*p
Views are my own and not necessarily of my companies


---------------------------------------------------------------------------
---------------------------------------------------------------------------

_______________________________________________
Securityfocus-focus-ids mailing list
Securityfocus-focus-ids () lists elvandar org
http://lists.elvandar.org/mailman/listinfo/securityfocus-focus-ids


---------------------------------------------------------------------------
---------------------------------------------------------------------------