IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IPS, alternative solutions

From: Jason <security () brvenik com>
Date: Fri, 17 Sep 2004 12:34:34 -0400
The statement "The ROI here is obvious when a worm hits before you can complete the patch installation" is provably false.
I understand the position that an IPS can buy you some time. I question the amount of time it buys and the measurable value provided. It has been my experience that the IPS fails to adequately protect the network even if it can cover _all_ of the internal route points. If you can deploy at all route points it still only limits the damage to the local segment in the case of a compromise, provided it is actually configured to block that traffic. This is where the "worm" case completely breaks down and the ROI is provably false.
Delaying a patch several months with or without an IPS is at best making a bet with the devil. A single compromised laptop becomes an entry point to the network thus completely bypassing the IPS. This means that any failure of access control results in the network being fully infected in minutes.
I have several examples of very security conscious organizations being bitten by this single failure, in one case several weeks after the initial worm release. The interesting thing is that the existing firewall successfully kept the worm out of the network for two weeks and the internal firewalls sheltered some servers where possible when the laptop entered however they still had a large infestation of systems to cope with.
This is why I am looking for an ROI model that shows how the IPS can adequately protect against the threat while showing value over applying the same money to accelerate testing and application of patches or mitigating the threat on the node itself.
I see where a case could be made that a host based product can provide some shelter but I fail to see how a network based product could. Practical observation shows us that the software based solutions, available for years, have failed to achieve the goal while having much higher saturation rates. They have also become threats themselves due to vulnerabilities and the regression issues they introduce. This ultimately slows down proper patching and mitigation further which is a net negative effect.
I have even heard of companies disabling SP2 firewall capabilities so that they can scan the hosts for vulnerabilities. This is flying in the face of best practice, with the firewall enabled they have no network exposure and thus no vulnerabilities exposed to the scanner. We end up back to the asset management and patching methodology as the only sustainable solution. 


Palmer, Paul (ISSAtlanta) wrote:

Jason,

The ROI in a medium+ organization does not come from using IPS as a
patch replacement system. The IPS lets the organization schedule the
patches at its convenience instead of the de facto schedule implied by
the release of the patch. That is, without something like an IPS in
place, the organization needs to apply patches as quickly as possible to
maintain their security posture. This is problematic for many reasons.
However, there are two common, major ones. First, it can take months
(even longer) to deploy a patch to all levels of an organization. During
this time the organization remains vulnerable. Second, it is difficult
to manage multiple overlapping patch and/or frequent patch processes.

The IPS allows them to delay patch installation until it is convenient
and this is where the ROI materializes. The IPS protects the
organization until it can deploy the patch everywhere. The ROI here is
obvious when a worm hits before you can complete the patch installation.

It turns out that the cost to install a dozen patches at once (even from
multiple vendors) is not much more than the cost to install one critical
patch. So an organization that can defer all patch installation to the
beginning of each quarter for example can reap huge dividends over the
cost of rolling out each patch individually. They only need to test one
set of changes prior to applying them (instead of several per quarter).
In addition, the number of different configurations present in the
organization at any moment is reduced, thereby lowering support costs.

Paul

-----Original Message-----
From: Jason [mailto:security () brvenik com] Sent: Wednesday, September 15, 2004 3:47 PM 
To: Scott Wimer
Cc: Daniel; focus-ids () securityfocus com
Subject: Re: IPS, alternative solutions
I've heard of no medium+ sized business that is considering deploying inline technology on the internals of the network in a sufficiently pervasive manner that there would be any measurable benefit from the technology over patching and asset management. 

I would be seriously interested in an ROI that can demonstrate savings.
The simple question is how is inline packet scrubbing easier and more cost effective than patching? 

Scott Wimer wrote:



Daniel,
I agree with your assessment. What I have encountered in the financial sector though is a desire to have the packets "scrubbed" before they reach the servers. People _want_ to deploy network based IPS tools because it is easier and more cost effective. That it doesn't seem to be possible yet is another story altogether. 

Regards, Scott Wimer

On Tue, 2004-09-14 at 06:01, Daniel wrote:
So far there has been a load of talk discussing which is the better technology. Personally i dont think IPS is ready for the big time. Yeah its great for small mum and dad networks, but for large financial networks with billions of pounds flowing across them, would
you trust a technology to think and block what it seems as bad traffic? 

So what are the alternatives? I'd say more host based protection such




as:

- Stack protection - Application level firewalls
(ModSecurity/SecureIIS) - Host based firewalls
I'm interested to see what everyone else feels are alternatives to IPS 


---------------------------------------------------------------------
-----
Test Your IDS
Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.



------------------------------------------------------------------------
--


------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
------------------------------------------------------------------------
--





--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: