IDS mailing list archives
Re: IDS vs. IPS deployment feedback
From: "Will Metcalf" <william.metcalf () gmail com>
Date: Wed, 5 Apr 2006 15:28:32 -0500
I have a serious question for you - have you ever been responsible for an enterprise network and its security?
I manage information security for an organization of 3500 employees ;-). I ask that because the threats
of dropped packets and the "nic that goes bad" all sound like FUD, not experience. Dropped packets happen when people try to ram 1000mbps through an IPS rated at 200Mbps. You have to size your IPS accordingly. And the bad nic is easily solved with bypass units. Again - all this FUD has many simple answers.
Really, I had a nic go bad in my IPS.... Your trying to say that hardware never goes bad? What happens when your IPS fails open and you don't have anything passively monitoring your network to log a successful exploitation that your IPS was previously stopping.
Furthermore where is all this analytical power coming from? Most enterprise networks are complex and have limited resources to handle ANYTHING, let alone security.
Talk about FUD, if an organization isn't dedicating resources to INFOSEC they need to start. I don't think there is an excuse not to in this day and age. As a manager if I had to choose between educating our INFOSEC staff our buying a shiny new IPS appliance, I would choose the training every time. Having a good security analyst that is able to apply his or her knowledge of INFOSEC best practices to your enterprise is worth more than a hundred IPS devices. Most network admins and IT people spend
the majority of their time just keeping their organizations running. They simply do not have the time or resources to baby an IDS and perform intricate security analysis. Now, you could complain that this is because companies underfund IT. That's a whole different issue, however. The reality is - IT departments need tools that can extend the expertise of small staff. The more content that can be blocked and kept out of a network, the less there is to deal with. Its easy to sit in the TOWER OF ULTIMATE SECURITY PERFECTION where Proxy Firewalls are ABSOLUTELY PERFECT and IDSs are manned by eternally vigilant experts. Of the hundreds of companies I have seen (from small to gigantic) none of them have the IT resources to analyze IDS logs all day and none of them implement proxy firewalls correctly. Now, maybe I am just seeing a totally skewed view of it all. I will accept that. But I don't think so.
I think so....
I think security needs to be transparent and easy as possible. And complex IDSs that generate 10000s of alerts and stop nothing are quickly ignored when the staff gets busy. And proxy firewalls are a small fraction of the market.Yeah Ummm an IPS is nothing more than a layer7 "application layer"firewall. This is just false. Firewalls and IPS assume much different things. A firewall is a static set of rules that say what is allowed and what is not allowed. That's it.
Is your signature based IPS not based off of a static set of rules?!? Want to talk about behavioral based IPS devices? fine, Even layer3, layer4 firewalls have behavioral based anomaly detection
An IPS, on the other hand, lets everything through unless it does something that it knows is bad.
Now, before you have a triple-heart attack and say "what about stuff it doesn't know about." Well, that's the eternal squeal of the paranoid, isn't it? How do you defend against the unknown? The reality to that is - you can't. Its impossible to defend 100% against the unknown. You HAVE to make some type of educated guesses as what is PROBABLE and defend against that which is MOST PROBABLE. And that is exactly what and IPS does. It can look at a stream and say: "its HIGHLY unlikely that this gargantuan binary package in the middle of a ISAPI call is normal, so I am going to block it."
Trusting the security of your network to a appliance/piece of software etc.. without human interaction and analysis is just plain dumb. Ever seen War Games?
I realize a lot of people fly off into a rage when you mention IPS to them. And yes, a lot of the vendors are pretty bad when they sell IPS as a silver bullet that will solve everything. But, by the same token spreading inaccurate FUD about IPS isn't any better than some commission
I guess we will agree to disagree, I feel my views are quite accurate. After spending a lot of my free time developing an IPS, evaluating and using commercial host and network based IPS's in a production enterprise environment qualifies me to speak the strength's and weaknesses of the technology, but believe what you want.
hungry sales person telling customers that IPSs will solve everything. Both responses have hidden agendas. When you clear away the hype and FUD, the value of an IPS obvious. You can lower risk by knowing that set number of vulnerabilities are blocked, thus reducing the number of incidents that need to be investigated.
Yeah uhhh did you read the beginning of my last e-mail I develop an open source IPS. I'm not saying that an IPS does not have value, I'm saying it should be part of an overall security strategy, not your end all solution for detecting and preventing intrusions, as the view that it gives even the most novice analyst is far too narrow.
_____________________________________ Andrew Plato, CISSP President / Principal Consultant ANITIAN ENTERPRISE SECURITY Your Expert Partner for Security & Networking 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com _____________________________________ PGP/GPG public key available at: http://www.anitian.com/corp/keys.htm _________________________________________________ NOTICE: This email may contain confidential information, and is for the sole use of the intended recipient. If you are not the intended recipient, please reply to the message and inform the sender of the error and delete the email and any attachments from your computer. _________________________________________________
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS vs. IPS deployment feedback Devdas Bhagat (Apr 03)
- <Possible follow-ups>
- Re: IDS vs. IPS deployment feedback Will Metcalf (Apr 05)
- Re: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 06)
- Re: IDS vs. IPS deployment feedback Will Metcalf (Apr 06)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 15)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 07)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- Re: IDS vs. IPS deployment feedback Eric Hines (Apr 13)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 10)
- Re: IDS vs. IPS deployment feedback Paul Schmehl (Apr 11)
- Re: IDS vs. IPS deployment feedback Aaron (Apr 15)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 17)
(Thread continues...)