IDS mailing list archives
Re: IDS vs. IPS deployment feedback
From: "Will Metcalf" <william.metcalf () gmail com>
Date: Mon, 3 Apr 2006 23:22:01 -0500
First let me preface my in line responses by saying that I develop an open source IPS. Regards, Will
1. Immature Technology IPS is far from immature. The first in-line IPS was BlackICE Guard. I installed one of the first in late 1999. And all of the decent IPSs on the market have roots in IDS, which is many years older. IPS is at least 7 years old and at best 10 or more. In technology terms, that's mature. Consider anti-spam technologies. They basically did not exist in 1999. Now, everybody has some kind of spam control. Is anti-spam a mature technology?
In comparison to IDS, IPS is a immature technology! Not only that but you have to deal with many things on a IPS that you do not have to worry about on an IDS. For heavens sake there are still commercial IPS vendors out there (one of your business partners in fact) that drop all out of sequence packets... Are you kidding me?!? Don't these people understand the how the Internet works? What end's up happening is that marketing folks for companies pitch IPS as a silver bullet, an end all be all security solution which is far from the truth. Please stop! In the end you are only going to hurt the reputation of your company and the reputation of what could be a great complimentary security technology in an overall security strategy. All of this because the industry will have lost faith in the technology due to your empty promises and marketing BS.
2. False Positives This is ultimately an issue of tuning. If you think you're going to drop an IPS inline, slap some rules on it, and never touch it again - you shouldn't be getting an IPS. A well tuned IPS can be pretty lean on false positives. And frankly, what is worse - a few POSSIBLE disruptions due to false positives, or getting hacked and 0wn3d and losing your business. Moreover, IPS can dramatically reduce the number of events that require incident response. With an IPS, when you see a really nasty alert, you can take note and move along, because you know the IPS blocked it. This allows you the freedom to analyze more subtle attacks or problems.
That is the completely wrong approach to take regarding a security incident. What is your IPS not seeing? What happened before the event? What happened afterwards? I agree with Richard Bejtlich on the idea that prevention will eventually fail. This is why you must always analyze IDS/IPS alert data along side host logs, session, and full content data.
Also, I think the DOS angle is WAY overhyped. Its frankly a weak excuse. If you consider that almost every switch and router on the market has plenty of DOS weaknesses, then an IPS really isn't much different. The DOS fears also stem from the idea that somebody could feed your IPS internal addresses and hence block normal traffic. Even with the most rudimentary router ACLs you can ensure this never happens.
Yeah but your network isn't going to stop working if a nic goes bad in your IDS sensor. Yeah, Yeah bypass switches, nics.. But what is worse? The fact that your CEO can't send e-mail, or the fact that your web server just got owned due to an IIS exploit that your IPS was protecting against.
3. Firewalls Firewalls are not IPSs. All the firewall vendors, especially the big ones, are clamoring all over themselves to repaint themselves as "security appliances." Even application firewalls, of which there are few, rarely are good at true IPS functions. The fact is, firewalls are good at one thing - access control. Detailed protocol analysis and filtering is not what most firewalls were built to do. And any firewall that has added this feature, has done so merely to be competitive in the market. I cannot think of any firewalls that were built from the ground up to be both a good firewall and a good IPS. Firewalls, should be left to do what firewalls do best - access control. Leave the packet inspection to a dedicated system.
Yeah Ummm an IPS is nothing more than a layer7 "application layer" firewall.
IDS Dead? IDS may not be dead, but its value is diminishing. While there is a place for IDS in some environments, I fail to see why anybody would get a passive defense when active defenses can be deployed to function in a passive manner. An active system that is deployed passively at least gives you the option to switch to active mode later.
Really, what kind of visibility do you have on your IPS device located at key choke points throughout your network? And how much visibility do you have on your IDS device? IDS and IPS systems are complementary security technologies, in my opinion you should never replace one for another.
Moreover, the value of an IDS diminishes even more if you lack in-house analytical capabilities. The unexamined IDS is not worth having, to paraphrase good old Socrates.
If you don't have the in-house analytical capabilities you shouldn't have an IPS either. The unexamined IPS is a far worse scenario, because the industry is selling people a false sense of security. "I drank what" to paraphrase good old Socrates.....
These are, of course, my opinions. And naturally, I have a vested interest in people buying more IPSs - because I sell them. _____________________________________ Andrew Plato, CISSP, CISM President/Principal Consultant ANITIAN ENTERPRISE SECURITY Your Expert Partner for Security & Networking 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com _____________________________________ GPG public key available at: http://www.anitian.com/corp/keys.htm -----Original Message----- From: watsont [mailto:thomas.watson.b () bayer com] Sent: Thursday, March 16, 2006 11:56 AM To: focus-ids () securityfocus com Subject: IDS vs. IPS deployment feedback _________________________________________________ NOTICE: This email may contain confidential information, and is for the sole use of the intended recipient. If you are not the intended recipient, please reply to the message and inform the sender of the error and delete the email and any attachments from your computer. _________________________________________________ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS vs. IPS deployment feedback Devdas Bhagat (Apr 03)
- <Possible follow-ups>
- Re: IDS vs. IPS deployment feedback Will Metcalf (Apr 05)
- Re: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 06)
- Re: IDS vs. IPS deployment feedback Will Metcalf (Apr 06)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 15)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 07)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- Re: IDS vs. IPS deployment feedback Eric Hines (Apr 13)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 10)
(Thread continues...)