Re: IDS vs. IPS deployment feedback

["Will Metcalf" <william.metcalf () gmail com>]

> I have a serious question for you - have you ever been responsible for
> an enterprise network and its security?

I manage information security for an organization of 3500 employees ;-).

I ask that because the threats
> of dropped packets and the "nic that goes bad" all sound like FUD, not
> experience. Dropped packets happen when people try to ram 1000mbps
> through an IPS rated at 200Mbps. You have to size your IPS accordingly.
> And the bad nic is easily solved with bypass units. Again - all this FUD
> has many simple answers.

Really, I had a nic go bad in my IPS....  Your trying to say that
hardware never goes bad?  What happens  when your IPS fails open and
you don't have anything  passively monitoring your network to log a
successful exploitation that your IPS was previously stopping.

> Furthermore where is all this analytical power coming from? Most
> enterprise networks are complex and have limited resources to handle
> ANYTHING, let alone security.

Talk about FUD, if an organization isn't dedicating resources to
INFOSEC they need to start.  I don't think there is an excuse not to
in this day and age.  As a manager if I had to choose between
educating our INFOSEC staff our buying a shiny new IPS appliance, I
would choose the training every time. Having a good security analyst
that is able to apply his or her knowledge of INFOSEC best practices
to your enterprise is worth more than a hundred IPS devices.

 Most network admins and IT people spend
> the majority of their time just keeping their organizations running.
> They simply do not have the time or resources to baby an IDS and perform
> intricate security analysis.
> Now, you could complain that this is because companies underfund IT.
> That's a whole different issue, however.
>
> The reality is - IT departments need tools that can extend the expertise
> of small staff. The more content that can be blocked and kept out of a
> network, the less there is to deal with.
>
> Its easy to sit in the TOWER OF ULTIMATE SECURITY PERFECTION where Proxy
> Firewalls are ABSOLUTELY PERFECT and IDSs are manned by eternally
> vigilant experts. Of the hundreds of companies I have seen (from small
> to gigantic) none of them have the IT resources to analyze IDS logs all
> day and none of them implement proxy firewalls correctly.
>
> Now, maybe I am just seeing a totally skewed view of it all. I will
> accept that. But I don't think so.

I think so....
> I think security needs to be
> transparent and easy as possible. And complex IDSs that generate 10000s
> of alerts and stop nothing are quickly ignored when the staff gets busy.
> And proxy firewalls are a small fraction of the market.
>
> > Yeah Ummm an IPS is nothing more than a layer7 "application layer"
> firewall.
>
> This is just false. Firewalls and IPS assume much different things. A
> firewall is a static set of rules that say what is allowed and what is
> not allowed. That's it.

Is your signature based IPS not based off of a static set of rules?!?

Want to talk about behavioral based IPS devices?
fine, Even layer3, layer4 firewalls have behavioral based anomaly detection

> An IPS, on the other hand, lets everything through unless it does
> something that it knows is bad.


> Now, before you have a triple-heart attack and say "what about stuff it
> doesn't know about." Well, that's the eternal squeal of the paranoid,
> isn't it? How do you defend against the unknown?
>
> The reality to that is - you can't.  Its impossible to defend 100%
> against the unknown. You HAVE to make some type of educated guesses as
> what is PROBABLE and defend against that which is MOST PROBABLE. And
> that is exactly what and IPS does. It can look at a stream and say: "its
> HIGHLY unlikely that this gargantuan binary package in the middle of a
> ISAPI call is normal, so I am going to block it."

Trusting the security of your network to a appliance/piece of software
etc.. without human interaction and analysis is just plain dumb.  Ever
seen War Games?

> I realize a lot of people fly off into a rage when you mention IPS to
> them. And yes, a lot of the vendors are pretty bad when they sell IPS as
> a silver bullet that will solve everything. But, by the same token
> spreading inaccurate FUD about IPS isn't any better than some commission

I guess we will agree to disagree, I feel my views are quite accurate.
 After spending a lot of my free time developing an IPS, evaluating
and using commercial host and network based IPS's in a production
enterprise environment qualifies me to speak the strength's and
weaknesses of the technology, but believe what you want.


> hungry sales person telling customers that IPSs will solve everything.
> Both responses have hidden agendas.
>
> When you clear away the hype and FUD, the value of an IPS obvious. You
> can lower risk by knowing that set number of vulnerabilities are
> blocked, thus reducing the number of incidents that need to be
> investigated.

Yeah uhhh did you read the beginning of my last e-mail I develop an
open source IPS.  I'm not saying that an IPS does not have value, I'm
saying it should be part of an overall security strategy, not your end
all solution for detecting and preventing intrusions, as  the view
that it gives even the most novice analyst is far too narrow.
> _____________________________________
> Andrew Plato, CISSP
> President / Principal Consultant
> ANITIAN ENTERPRISE SECURITY
>
> Your Expert Partner for Security & Networking
>
> 3800 SW Cedar Hills Blvd, Suite 280
> Beaverton, OR 97005
> 503-644-5656 Office
> 503-214-8069 Fax
> 503-201-0821 Mobile
> www.anitian.com
> _____________________________________
>
> PGP/GPG public key available at: http://www.anitian.com/corp/keys.htm
>
>
>
>
> _________________________________________________
> NOTICE:
> This email may contain confidential information,
> and is for the sole use of the intended recipient.
> If you are not the intended recipient, please reply
> to the message and inform the sender of the error
> and delete the email and any attachments from
> your computer.
> _________________________________________________

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------