Snort mailing list archives
RE: Re: [Snort-devel] IDS vs IPS
From: "Bob Walder" <bwalder () spamcop net>
Date: Fri, 22 Aug 2003 15:35:28 +0200
I would someone on this list to actually define Intrusion Prevention System (IPS).
OK..... My 0.02 worth is that a Network IPS (NIPS) is a device with two interfaces that operates in-line to detect suspicious traffic and INSTANTLY discard the offending packet and the rest of the suspicious flow. IDS, NIDS and HIDS are well-enough defined already, and NO passive IDS device could possibly be described as IPS - even with so-called "active response mechanisms" (i.e. sending TCP resets or ICMP unreachable packets, or reconfiguring a firewall). Given a fast enough connection, by the time the so-called "active response" has been triggered, the payload has been delivered - it is too late! By operating in-line, an effective IPS device can drop the offending packet immediately BEFORE it gets chance to wreak its havoc, and once the flow has been marked as suspicious, the rest of that flow can be handled with very little additional overhead. Of course, in-line devices bring with them their own problems - increased latency, the possibility of false positives wreaking their own special kind of Denial of Service attack, and so on - and that is why they are best thought of as complimentary technologies, at least for now. By the way, don't get TOO hung up on terminology - yes, they WERE originally referred to as Gateway IDS (GIDS) or in-line IDS products - but providing we ensure that the marketing guys don't dilute the term (i.e. by referring to every passive IDS or personal firewall as IPS) - or at least recognise such marketing FUD for what it is - then there is nothing wrong with the term IPS. Where it gets interesting is the argument that IPS has nothing to do with IDS at all - usually put about by those IPS vendors whose signature set is too small or too prone to false positives to catch the majority of the common exploits out there... IPS is an evolution of IDS, and has a whole heap more work to do than an IDS box and thus has to be more reliable and faster - and thus is likely to be quite a bit more expensive for a while yet. Think of it as a "security switch", since once it goes in line it has to behave as much like a switch as it does like an IDS device - and if the vendor expects the network guys to accept it as part of their infrastructure then they'd better be pretty damn sure that it offers minimal latency and maximum resilience. The passive IDS device can do no serious damage to the network infrastructure - if it is "noisy" then it is only the IDS admin who suffers - if it fails, then it causes no network down time. This is not the case with an in-line device. And just to round off the definitions, we have Host IPS (HIPS). This refers to the Entercepts and Okenas of this world - software wrappers around the OS or critical applications (such as Web servers) that intercept dodgy system or application function calls and prevent them from doing any damage. This is not intended to be an exhaustive definition, but hopefully it goes some way towards explaining what I think is the most reasonable point of view. Now.... Let the marketing guys get on with their job (spin doctors), ignore everything they have to say, and buy the technology that is most suitable for your requirements - no matter WHAT they call it ;o) Regards, Bob Walder Director The NSS Group ------------------------------------------------------------------------ ---------- This message is intended for the addressee only and may contain information that may be of a privileged or confidential nature. If you have received this message in error, please notify the sender and destroy the message immediately. Unauthorised use or reproduction of this message is strictly prohibited. ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 22)
- <Possible follow-ups>
- RE: [Snort-devel] IDS vs IPS Robert Wagner (Aug 22)
- RE: RE: [Snort-devel] IDS vs IPS Tom Van Overbeke (Aug 22)
- RE: Re: [Snort-devel] IDS vs IPS Bob Walder (Aug 22)
- RE: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 22)
- Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Stevo (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS twig les (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)