RE: need your help about IPS and IDS,thanks

[Omar Herrera <oherrera () prodigy net mx>]

Your point is good; with an IPS you enforce that both IPS and destination
host see the same thing, while an IDS has to make a correct guess. There are
many things that an ids needs to take into account here: network distance,
O.S. brand, O.S. version and even application brand/version in some cases
too, but there are other advantages with IDS that have been discussed
previously in this forum (I will just summarize some):

* They are much harder to identify on the network (especially if they are
completely passive), IPS, just like firewalls, are relatively easy to
locate.
* They might be more useful for correlation in some cases: you might want to
keep track of failed access attempts for example, whether it is an attacker
or a legitimate user. With an IPS you might think twice to activate a huge
amount of these "activity tracking" signatures because performance can be an
issue since those devices are inline.
* With a passive IDS you can take the risk of activating an experimental
signature anytime without risk to performance, whether with an IPS you might
hit performance at some point (rare but happens nevertheless).
* Attack spoofing by a knowledgeable attacker could make your IPS DoSing
your network more easily under some circumstances. This is a weird property
of combining both positive (firewall) and negative logic (ids capabilities)
security controls in a single active device.

I believe that even with this little drawback of traffic interpretation,
passive IDS are more useful for incident response teams because you have
less risk of performance impact and more flexibility to make fast changes.
But definitely, if you want preventive measures IPS/active IDS are more
useful.

I just can't still accept fully that both firewall and ids capabilities end
up in the same active box (last point above is one of the reasons), but on
the other hand, we just can't have people looking at consoles 24x7 and
expect them to react timely with every legitimate attack they see :-).

I'm moving faster towards workstation/server local security anyway, to
compensate for deficiencies in both IPS/active IDS and passive IDS. Although
costly and time consuming, a good local, positive logic, security control
such as a security shell in a workstation or server is much more effective
than network firewall/IPS/IDS alone (you usually have 1 or 2
firewalls/IPS/IDS for a great variety of servers and workstations, which
means that individual security needs for each type of system is not
necessarily satisfied). The implementation of security shell capabilities in
personal firewalls is no coincidence (we are demanding such protection for a
long time). They don't need to assume (they are in the system that requires
protection), and the positive logic capabilities like filtering execution of
non-certified executables/processes/servers is really useful. Both IPS and
IDS use negative logic which means they require updates which means they
share common problems with similar controls like antivirus programs. We are
well aware of the problem with delays in signature updates and even the best
support teams of IPS/IDS products are no match to the fastest virus/worms on
our days in terms of speed. Conclusion: although better than an IDS in
attack prevention terms the protection provided by an IPS is more and more
limited with new, near-0day and faster automated threats that show up on the
Internet these days. So, no magic bullet any of them anyway (like if we
didn't know already :-) ).


Best regards,

Regards,
Omar Herrera

> -----Original Message-----
> From: Stuart Staniford [mailto:stuart () nevisnetworks com]
> > Lily, I think of IPS as IDS with the ability to take action.  Both IPS
> > and IDS have techniques for detecting malicious activity and most
> > commercial products use a combination:
>
> I agree with everything Chris said.  There's just one point on the IPS/IDS
> difference that I'd like to highlight because it often seems to get missed
> in this particular recurring debate.  That's the issue of evasion
> resistance.  An inline IPS has a much broader range of options open to it
> because it can actually normalize the traffic.  Eg, if there are weird
> overlapping retransmissions, the IPS can pick one and only allow that
> through.  By contrast, an IDS that is not inline is forced to somehow
> deduce
> (or guess) which one might have made it to the end-host and actually been
> accepted (which tends to mean it needs a lot of information about the
> end-hosts to really do a good job).



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------