Re: IDS vs. IPS deployment feedback

["Aaron" <snort () microchp org>]

To add to (or take away) from this thread, I would further 
mention that IDS/IPS regardless of make or implimentation, 
will only see the past, not the future.  I personally do 
not care what people use to detect, even though I have 
been able to get snort to match performance of commercial 
products.  Some exploits are too late to stop by the time 
your devices see them.

My focus has always been instead to see into the future, 
such as running continuous network and host based audits 
and staying on top of the latest 0 day exploits, latest 
patches and so on.  It is not fullproof, but reduces the 
probability that a malicious packet will do its job. :)

I only consider IDS/IPS to be documenting devices so that 
I may later have evidence, in the rare and highly 
improbable circumstance that someone is actually caught. 
The people we should be concerned with will not show up 
in an IDS however.

--Aarön



On Fri, 7 Apr 2006 08:54:49 -0700
 "Andrew Plato" <andrew.plato () anitian com> wrote:
> Number of rules does not equal quality of IDS/IPS 
> technology. 
>
> Or in other words, just because a IDS/IPS has a zillion 
> rules doesn't
> mean those rules are any good. Or that implementing or 
> using that
> technology is good. 
>
> Your 500 number is wrong. When you get into the leading 
> commercial IPSs
> (TippingPoint, ISS, Juniper, McAfee) these products on 
> average have
> 2000-3000 signatures. However, in some technologies, one 
> signature
> handles an entire class of vulnerabilities. Where Snort 
> needs multiple
> signatures for the same vulnerability, ISS can protect 
> against the
> vulnerability with 1 signature. TP is the same. I don't 
> know Juniper and
> McAfee as well, but I suspect they are similar. 
>
> Snort also has a lot of unique signatures that people 
> have designed for
> highly specialized purposes. That is definitely a 
> benefit to some
> organizations. But, those signatures are only useful in 
> those unique
> situations. And all the commercial products support 
> custom signatures -
> so you can do the same thing for your TP or ISS box. 
>
> Furthermore, Snort rules are developed by volunteers (or 
> Sourcefire). As
> such, SNORT is usually behind the curve on new 
> signatures. ISS, for
> example, does their own independent security research an 
> has signatures
> to protect against things that Snort people don't even 
> know about. Other
> vendors buy exploits from the hacker market - again 
> giving them access
> to vulnerabilities long before it hits the public and 
> subsequently the
> people who develop SNORT signatures. 
>
> The 90% thing you're coming up with is just false. 
> You're assuming that
> all those signatures represent a serious attack. And 
> you're also
> assuming that quantity of signatures is the measure of 
> effectiveness. 
>
> A poorly maintained, tuned or implemented Snort sensor 
> is just as
> useless as a poorly maintained, tuned, or implemented 
> ISS sensor. 
>
> Now, I realize I sound like a ISS or TippingPoint sales 
> person. And yes,
> I have a vested interest in such products because my 
> company sells them.
> But, I also know that I've seen more than a few 
> organizations throw away
> Snort-based protections because the administration and 
> management of
> them was too resource intensive. And merely having 5000 
> signatures
> available does not translate to effective security. 
>
> -----------------------------------------------
> Andrew Plato, CISSP, CISM
> President/Principal Consultant
> Anitian Enterprise Security
>
> -----------------------------------------------
>
>
>
>
> -----Original Message-----
> From: Basgen, Brian [mailto:bbasgen () pima edu] 
> Sent: Thursday, April 06, 2006 10:44 AM
> To: focus-ids () securityfocus com
> Subject: RE: IDS vs. IPS deployment feedback
>
>
> I'm new to the list, but this flame war is a bit odd. 
> This is an IDS
> list, yet the usefulness of IDS is being dismissed?
>
> This debate could generate some interesting data. In 
> snort, for
> example, there are around 5,759 rules (3/31/2006, 
> non-subscription rule
> base). I don't have the metrics on hand of how many 
> rules commercial
> IPS's deploy on by default (and how many total can be 
> turned on), but
> I'd guess it is around 500. I'd be interested to know 
> those numbers, if
> someone has them. A vendor comparison of rules could 
> also be
> interesting. 
>
> What I draw from this ratio is that some 90% of attacks 
> can get through
> an IPS solution. That doesn't invalidate the IPS anymore 
> than the IPS
> invalidates a firewall, but it does indicate to me that 
> IDS plays an
> essential role. 
>
> ~~~~~~~~~~~~~~~~~~
> Brian Basgen
> IT Security Architect
> Pima Community College
> _________________________________________________
> NOTICE:
> This email may contain confidential information, 
> and is for the sole use of the intended recipient.  
> If you are not the intended recipient, please reply 
> to the message and inform the sender of the error 
> and delete the email and any attachments from 
> your computer. 
> _________________________________________________
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to 
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------