Re: IDS evaluations procedures

[Jason <security () brvenik com>]

Hi Nathan,

The open source Snort has been capable of, and often is, actively 
performing white listing for what seems like centuries when measured in 
Internet time.

This is known as the pass rule, the ability to create logical match or 
negation conditions within the rule itself, and flowbits which allows 
for tests in prior traffic to be checked before analyzing current 
traffic. White listing is not an IPS only capability nor is it 
fundamentally different than the capabilities available for a long time 
now in open source Snort. Snort is also capable of performing these 
functions inline and acting as an IPS for the low low cost of .... your 
time.

> I think you are missing the point - by blocking the traffic we need
> take no further action. If you allow invalid traffic into the network
> you still need to inspect it further to see if it is malicious too!
>
> I understand what you are saying about signature accuracy, but it
> just isn’t relevant. By reducing the number of packets that you
> inspect you can reduce the number of alerts – especially false
> positives.

It has been my personal observation that none of the IPS vendors do a 
spectacular job of IDP other than blocking *well known* threats that 
your firewall is ( or should be ) fully capable of blocking today. The 
IPS has offered little to no real value except to reduce potential load 
on your firewall and provide a false sense of security. Failing a 
capable firewall your IDS could also be tuned up to white list traffic 
and eliminate the false positives as easily as your examples. Here are 
some questions to ponder.

- Does SQL traffic need to enter your perimeter from the Internet?

- Does any access need to be allowed to your web servers without the 
proper host headers?

- Do you need to let ../cmd.exe URL's pass your firewall?

- Are you not better served getting a good firewall instead of 
pretending IPS does something fundamentally different in a better way?

An IPS is useful for containment of known threats that are not mitigable 
using existing deployed technology. It will not prevent anything from 
happening to your network in short order and it certainly will not 
reduce the number alerts you get. An IPS should be deployed inside the 
network protecting the assets you cannot otherwise protect as part of 
you defense in depth strategy. Where it is depicted in your diagram, in 
front of the firewall, leads me to believe you have little confidence in 
the firewall itself. I would be striving to rectify that fairly quickly. 
An IPS at the border might buy you a few minutes and even a few hours in 
the best case when an aggressive worm hits the wire.

>
> Summary: IPS (in-line) and IDS units with the same signature policy
> will have the same number of false positives per 1000 packets
> inspected. However, by pre-pending a blocking filter the IPS will
> have fewer packets to inspect and therefore create fewer false
> positive alerts.

How so? Does every blocked packet != an alert. Do you just discard 
things without logging them? Are they not considered violations? I 
though pre-pending a blocking filter was what a firewall was for.

>
> Bottom line: I don’t care about the false positives that I never see!
>

...or the false negatives you have no hope of knowing about.

-J

--
Yup. I work for a vendor and I have IPS I can sell you too.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------