IDS mailing list archives
Re: amount of alarms generated by IDS
From: Jason <security () brvenik com>
Date: Tue, 11 May 2004 18:12:56 -0400
I have to agree with Rob and I must debate the classification of inline IPS as simply an IDS with the ability to drop malicious looking packets.
The comparison is more appropriately made as a firewall with the ability to inspect traffic in the context of good or bad in addition to allowed or disallowed.
Many Inline devices are nothing more than slimmed down proxy based firewalls of days past marketed differently. The feature set is not even that different. They understand a set number of protocols, can do inspection and normalization of those protocols and allow or disallow based on a match within the protocol. Some of the inline devices have had network grep capabilities bolted on to facilitate matching of single packet attacks and the like. This is arguably less effective than using a proxy based firewall to handle valid application interactions and blocking all non valid communication.
This functionality is different than what an IDS does and is intended to do. An IPS cannot be critical of the traffic with an eye to security, it cannot be deployed in places where inline is not possible, it cannot monitor local segments... This lack of a critical eye is because of the many issues related to context and confidence of the data being passed and is a difficult problem to solve without complete and intimate understanding of all of the protocols, hosts, and networks involved. This results in a mildly useful number of attacks that are actually blocked because the risk of blocking a non attack is high. An IDS OTOH can inspect the traffic critically with an eye to security and not be concerned with killing good traffic and thus can audit what the IPS and firewall have to let through.
Lets flashback a few years, codered just hit, wiped out a lot of servers, many people had a firewall that was capable of preventing this attack but could not configure it to do so in a timely manner. This is the same as an IPS today, short of nuisance control and containment of segmented networks it has little value over the same resources applied to reducing overall risk. Every place you would deploy an IPS is a perfect place for a good firewall. $ for $ yen for yen proactive security and patch management will get much more bang for the buck.
I am looking for examples of any case where an inline IPS blocked an attack that would not have been blocked or mitigated otherwise by a good firewall and patching or mitigating a known vulnerability.
Rob Shein wrote:
Simple. An inline IDS is one that sits inline, and thus doesn't have to listen promiscuously. There are a few situations where you might want this. The reason why there are two separate terms..."inline IDS" and "IPS"...is because they are two separate things.-----Original Message-----From: Ravishankar Ithal [mailto:ravi_ithal () yahoo com] Sent: Tuesday, May 11, 2004 1:14 PMTo: Rob Shein; 'Bhargav Bhikkaji'; focus-ids () securityfocus com Subject: RE: amount of alarms generated by IDS --- Rob Shein <shoten () starpower net> wrote:I'm a bit confused here. You're talking about inline IDS and IPS. Are you using the terms interchangably? If so, you're mistaken; putting an IDS inline does not make it an IPS. And an IDS inline shouldn't be dropping packets.If an IDS doesn't have the ability to drop packets, why would you call it "inline"? Note that sitting in the packet path or as an offline box doesn't make any difference in the amount and kind of traffic that the box can actually see, what with spanning on switches. I _am_ using the two terms interchangably, simply because IPSs of today are nothing but IDSs of yesterday with an ability to drop malicious looking packets.I could see how the signatures could be tuned differentlydue to thefact that it is able to ensure that it sees everything, andthat couldgenerate fewer FPs, but aside from that I doubt there would be any difference. Keep in mind that an inline IDS does not (normally) do anything to bad traffic, while an IPS takes an active role in munging/blocking/denying such.__________________________________ Do you Yahoo!?Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover--------------------------------------------------------------------------- ---------------------------------------------------------------------------
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: amount of alarms generated by IDS, (continued)
- Re: amount of alarms generated by IDS Anton A. Chuvakin (May 05)
- Re: amount of alarms generated by IDS Jason Haar (May 06)
- RE: amount of alarms generated by IDS Shawn (May 06)
- RE: amount of alarms generated by IDS Ravishankar Ithal (May 07)
- RE: amount of alarms generated by IDS Harper, Patrick (May 06)
- Re: amount of alarms generated by IDS Bhargav Bhikkaji (May 10)
- Re: amount of alarms generated by IDS Ravishankar Ithal (May 10)
- RE: amount of alarms generated by IDS Rob Shein (May 11)
- RE: amount of alarms generated by IDS Ravishankar Ithal (May 12)
- RE: amount of alarms generated by IDS Rob Shein (May 11)
- Re: amount of alarms generated by IDS Jason (May 11)
- Re: amount of alarms generated by IDS Dennis Cox (May 11)
- Re: amount of alarms generated by IDS Jason (May 13)
- Re: amount of alarms generated by IDS Ravishankar Ithal (May 10)
- RE: amount of alarms generated by IDS Frank Knobbe (May 11)
- Hi, I want to study IPS cto (May 11)
- RE: Hi, I want to study IPS Shawn (May 13)
- Re: amount of alarms generated by IDS Anton A. Chuvakin (May 05)
- Re: amount of alarms generated by IDS nick black (May 14)
- Re: amount of alarms generated by IDS Stefano Zanero (May 22)