IDS mailing list archives
Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 14 Oct 2005 22:17:16 -0500
On Thu, 2005-10-13 at 12:31 +0100, Tim Holman wrote:
Wouldn't you rather block bad traffic, rather than detect it?
Absolutely. That's why IDS interfacing with firewalls have merit.
Most companies are moving away from IDS as a protection mechanism, because: 1) It only detects, and doesn't effectively block intrusions
Many IDSes can do that, and could for years. It's just that the industry is promoting the "Intrusion Prevention Systems" much louder, and confuse people by presenting it to be holy savior of networks.
2) Problems with false positives, as by using pattern matching signatures, there is always a chance that these patterns also appear in valid traffic
Same problem applies to signature based IPSes. (Or do I detect a bias towards rate-based IPS?)
3) Management overheads. An IDS can only be a reasonably effective prevention method if there is someone on hand 24/7 to monitor logs and take immediate action on intrusions.
Sure. IDS and IPS are only tools, not the end-all-be-all solutions. Someone needs to operate these tools. MSSPs can certainly help out if companies can not muster the resource effort themselves.
4) There is absolutely no protection for rate-based attacks (SYN, TCP, UDP floods)
I'm starting to see a pattern now...
5) Without maintaining a L3/4 connection/state table, there is no way an IDS can be truly stateful.
Network and Transport layer states are so yesterday. You really need to keep state on at least the session layer. :)
I would recommend looking at IPS products instead, so something that you can postion inline and get immediate value from.
(Any particular vendor in mind?)
A true IPS will focus on defining what is GOOD traffic, and assuming all else is BAD (and dropping it). By doing this, zero-day attacks can be virtually be eliminated, as they all ultimately rely on abuse of a valid protocol in the hope of slipping past your protection mechanisms and onto your network.
And how about the the valid protocols that are abused to cause denial of service attacks?
Replacing like for like (IDS for IDS) is not going to give you much value, and even the market analysts are recommending against it. IDS isn't dead. Far off it, but use it for what it's good for - DETECTION and FORENSICS, and not as a device that can insure your network against rate-based and zero-day attacks.
Thank you. That paragraph I can agree with. And just a reminder, we came from a thread about spyware, not about rate-based DoS. For protection, I believe the good old firewall is *still* under utilized. How many networks do you know of that don't restrict outbound access for example? There are people that complain about P2P software, yet have "Internal->Internet-any-allow" type firewall policies. Why throw new products on the market when the existing products aren't used correctly yet? People need to realize that _Intrusion_Prevention_ is not a product, but a state of mind. It's something you do, not something you have/buy. This whole market is going crazy with the IPS term. The sad fact is that it clouds the expectancies and distracts from the real issues by offering solution to mitigate problems, not by offering solutions to eliminate problems. But I guess if that were the case, a whole market niche would solve itself out of existence.... </rant> -Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: IDS and Spywares, (continued)
- Re: IDS and Spywares Dhruv Soi (Oct 11)
- Re: IDS and Spywares Jay Archibald (Oct 12)
- Re: IDS and Spywares Tim Holman (Oct 14)
- RE: IDS and Spywares Andrew Plato (Oct 07)
- Re: IDS and Spywares Eric Grejda (Oct 11)
- RE: IDS and Spywares Desai, Deepen (Oct 11)
- Re: IDS and Spywares barcajax (Oct 11)
- Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Jonathan Gauntt (Oct 12)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Tim Holman (Oct 14)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor byte_jump (Oct 18)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Frank Knobbe (Oct 18)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Jason (Oct 18)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Jason Haar (Oct 18)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Joel Esler (Oct 19)
- Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Teemu Schaabl (Oct 18)
- Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor Jonathan Gauntt (Oct 12)
- RE: IDS and Spywares vipul kumra (Oct 12)
- RE: IDS and Spywares Omar A. Herrera (Oct 13)
- RE: IDS and Spywares Matt Jonkman (Oct 14)
- RE: IDS and Spywares Omar A. Herrera (Oct 14)
- RE: IDS and Spywares Matt Jonkman (Oct 14)
- RE: IDS and Spywares Omar A. Herrera (Oct 14)
- RE: IDS and Spywares Omar A. Herrera (Oct 13)