IDS mailing list archives
Re: IDS\IPS that can handle one Gig
From: Vikram Phatak <vphatak () lucidsecurity com>
Date: Sun, 05 Jun 2005 03:39:59 -0400
Disclaimer: I work for a security vendor that has integrated VM & IPS into a single security appliance.
Hi Peter & Andrew,It is surprisingly hard to discuss these type of ideas without sounding like an advertisement, but I will try.
I think the question of balance between VM vs. IPS is a good one. However, it assumes that a choice needs to be made between one technology and another, and I don't think that is necessarily the case... A third alternative is integrating the two technologies to solve shortcomings in both.
The biggest knock I've heard about VM is that it doesn't actually "protect" anything since it is not patching vulnerablities. Yes a VM solution provides greater visibility and more information to make intelligent decisions on, but it protects indirectly, not directly. IPS on the other hand protects directly, but has the reputation of requiring a great deal of care and feeding as noted by Andrew. In addition, most companies are reluctant to place IPS solutions inline as they fear interruption of legitimate business traffic. A recent survey I read stated that less than 50% of IPS solutions are actually placed inline! The root cause of these fears re: IPSes are related to the administrator's lack of visibility within the network so that the correct choices can be made in when tuning an IPS product.
We have found that integrating VM & IPS together can solve many of the pain points associated with IPS and brings VM into the fold as part of a "direct" protection solution: Specifically it can help prevent an IPS from stopping legitimate traffic, provide visibility within the network for the administrator, and make maintaining IPS more efficient. The idea is pretty straight forward. A VM/IPS identifies the assets on the network through some discovery process. It then profiles the assets being protected in order to gather the necessary information, so that it can determine which rules should be applied to any given asset. Obviously, there is a lot that goes into the identification, profiling and correlation, but that is another discussion. In this scenario, the VM is serving as a feedback mechanism which provides decision making information to the IPS. Without this feedback mechanism, an IPS is blind and requires a lot of care and feeding.
The bottom line is that a system that integrates VM & IPS together is much more scalable and reliable than a traditional IPS solution that does not since IPSes require continual, ongoing tuning because networks are continually changing either from within, or due to outside influences such as vulnerabilities. Why is a VM/IPS solution more scalable? Because the VM/IPS is smart enough to handle the time consuming rote tasks of information gathering and tuning for the administrator. Why is a VM/IPS solution more reliable? Because it can help prevent false +s and prevent the interruption of legitimate traffic due to lack of tuning. Also, information is less accurate the further you are from the original source. This applies not only to "where did you get your information from?", but also "when did you get it?". As such, a VM/IPS that frequently gathers information from the original source is going to have more accurate information than an administrator that has to hunt down the required data.
So what I am saying is that an VM/IPS (VPS?) knows when a system comes online, or a new vulnerability is discovered and can keep pace with changes made within the network. Now, the administrator's role is one of managing the process of remediation based upon information provided by the VM and reviewing/validating/adjusting action taken by the IPS. I know that was a long winded response. As I said above, it is surprisingly hard to discuss these type of ideas without sounding like an advertisement! Hopefully I wasn't too ad-like.
All the best, -Vik -- Vikram Phatak CTO, Lucid Security http://www.lucidsecurity.com Peter Schawacker wrote:
Hiya Andrew, I always enjoy reading your posts. Thanks for replying to mine. I've answered some of your comments inline below. I would be remiss if I were not to warn readers that (here comes the "full-disclosure" statement...) I used to pimp IPS and VM for a certain company and that I now pimp VM, SIM and related technologies for a different one. This is a really important conversation, the IPS/VM balance problem. Let's keep it going. Having worked with both, I for one would like to get morethoughts about the relationship between IPS and VM out on the table.Cheers, P -----Original Message-----From: Andrew Plato [mailto:andrew.plato () anitian com] Sent: Wednesday, June 01, 2005 9:12 AMTo: ps () tenablesecurity com; focus-ids () securityfocus com Subject: RE: IDS\IPS that can handle one Gigfavor,Another option, and one that many organizations are beginning tois to forget the current, "fashionable" notions of IPS and return to basics -- to focus more closely on vunerability and information management. I believe that if you have a comprehensive, continuous and meaningful flow of information about the environment and an effective vulnerability remediation program, the need for IPS appliances and agents (band-aids) can be reduced dramatically.I hear this every now and then from security people, and I think this isan attitude borne out of lack of experience with IPS.PES>> Actually, it is an attitude borne out of entirely too much experience with IPS. (I won't go into detail on my experience, but you can google for me if you'd like.) I have yet to see an environment (and I am a consultant so I see hundreds per year) where there is an effective patch and vulnerability management that can keep pace with the exploits in the wild. Quite simply, it is impossible to think you can keep a large enterprise continuously patched and therefore resistant to the latestvulnerabilities.PES>> I have seen a few environments that have deployed patch and configuration management systems that are effective. I can't mention any by name, but they're amongst the top 100 of the Fortune500. Granted, they are the exception. On average, it can take 20 to 30 days for an organization to roll out a single Microsoft Windows patch. That includes testing, troubleshooting, and deployment. In 30 days, your environment could be crawling with all sorts of filth thanks to unpatched machines. PES>> Yes, on _average_ companies struggle mightily with patch roll-outs. But not all companies take 20-30 days. My point is that patch management can be done. Frankly, most IPS roll-outs fail also and for much the same reasons as patch/config management. IPS rules require testing, although folks tend not to do bother, just as most don't bother testing patches and other changes. Let's also bear in mind that most shops don't test patches before deployment -- at least in any sort of formal way. PES>> The point of my last post, just to refine it a bit, is that the better your Vulnerability Management (including patch and configuration management) the less you need IPS. I suppose the converse is also true. I would qualify my point by saying that VM and IPS are far from perfect, which is why we ("we" being InfoSec practitioners) are constantly faced with weighingtrade-offs between them.Furthermore, if you look at the timeline of when an vulnerability is "discovered", then when an exploit hits the streets - that time can be days, even hours. In that case, its still weeks before MS or anybody releases a patch, and then even more time before you could patch all your machines. In this case, even under reasonable, well controlled situation most organizations are three to six weeks out from patching systems when an exploit is released. That is a ridiculously long periodof time. A period where that environment could become infested.PES>> Yep, the zero-day threat is real, but it's not the whole problem. NIPS is but one arrow in the quiver and it has its own virtues and defects. Furthermore, a "comprehensive, continuous and meaningful flow of information about the environment" means eyeballs. Somebody needs to be watching that meaningful flow of information. And while highly trained security engineers are an important part of a security team - they won't work 24 hours day. People are the most important part of informationsecurity, but technology works longer hours.PES>> Indeed, most security information management and VM systems are useless and expensive -- but not all... (I'll spare you the commercial.) People also make mistakes and miss things. Its insane to think a security admin or a network admin has the time or concentration to sift through mountains of data everyday. Nobody will do that job for long -or do it well.PES>> I couldn't agree more. Fortunately, there are ways to automate the sifting process. Now, with a good IPS deployment, I can load up a signature update (hopefully released BEFORE the exploit hit the streets), and now my entire network is secure from the new exploit. I go home and rest easy. If I have host-IPS I can update all my workstations too. Now, my patch management team has time to roll-out patches in a more controlled and logical manner. They are not dashing around at 4AM trying to put outfires.PES>> Agreed. We're talking about a healthy, well-balanced IPS/VM lifestyle. IPS gives people control over their environment. And well-run IT departments have control over their equipment. They're not constantlyflailing around or giving themselves impossible tasks.PES>> I think you're overselling IPS here, but I've sold IPS too, so I get where you're coming from. The gist of what you're saying is largely true. That much said, I agree that IPS is sometimes given unrealistic expectations. For this, I point the finger squarely at the legions of Blackberry pecking vendor reps and cell phone yacking volume resellers who say things like "If you're not using <insert technology here>, you're not secure!" (that's an actual line, from an actual ad I saw). These people could care less about security, they just want to sell something. So, they'll tell you anything you want to hear about an IPS. And they rely on the ignorance of IT departments to fall for marketingBS.However, when you peel away the sales people, I sincerely do not think IPS is some "fashionable notion." It's a serious and effective way toproactively defend a network. I've have seen the benefits.PES>> Don't cast aspersions on "fashionable notions"! :-) Just because an idea is overblown doesn't mean it's entirely bad. These days it's just not possible to sell any nascent technology, no matter how good it is, without declaring it a panacea. It's just the nature of the InfoSec Marketing Beast to which we are all in some way victims. ... ___________________________________ Andrew Plato, CISSP President/Principal Consultant ANITIAN ENTERPRISE SECURITY 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633DGPG public key available at: http://www.anitian.com/corp/keys.htm-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.--------------------------------------------------------------------------
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- RE: IDS\IPS that can handle one Gig Andrew Plato (Jun 01)
- RE: IDS\IPS that can handle one Gig Peter Schawacker (Jun 01)
- Re: IDS\IPS that can handle one Gig Vikram Phatak (Jun 06)
- Re: IDS\IPS that can handle one Gig Frank Knobbe (Jun 07)
- Re: IDS\IPS that can handle one Gig Control Zed (Jun 07)
- Re: IDS\IPS that can handle one Gig Frank Knobbe (Jun 08)
- Re: IDS\IPS that can handle one Gig Terry Vernon (Jun 08)
- Re: IDS\IPS that can handle one Gig Vikram Phatak (Jun 06)
- RE: IDS\IPS that can handle one Gig Peter Schawacker (Jun 01)
- <Possible follow-ups>
- RE: IDS\IPS that can handle one Gig Palmer, Paul (ISSAtlanta) (Jun 01)
- Re: IDS\IPS that can handle one Gig Ed Gibbs (Jun 04)
- Re: IDS\IPS that can handle one Gig Bob Walder (Jun 04)
- Re: IDS\IPS that can handle one Gig Bob Walder (Jun 05)
- Re: IDS\IPS that can handle one Gig Per Engelbrecht (Jun 01)