RE: Re: [Snort-devel] IDS vs IPS

["Bob Walder" <bwalder () spamcop net>]

> > I would someone on this list to actually define Intrusion 
> > Prevention System (IPS). 

OK.....

My 0.02 worth is that a Network IPS (NIPS) is a device with two
interfaces that operates in-line to detect suspicious traffic and
INSTANTLY discard the offending packet and the rest of the suspicious
flow.

IDS, NIDS and HIDS are well-enough defined already, and NO passive IDS
device could possibly be described as IPS - even with so-called "active
response mechanisms" (i.e. sending TCP resets or ICMP unreachable
packets, or reconfiguring a firewall). Given a fast enough connection,
by the time the so-called "active response" has been triggered, the
payload has been delivered - it is too late!

By operating in-line, an effective IPS device can drop the offending
packet immediately BEFORE it gets chance to wreak its havoc, and once
the flow has been marked as suspicious, the rest of that flow can be
handled with very little additional overhead.

Of course, in-line devices bring with them their own problems -
increased latency, the possibility of false positives wreaking their own
special kind of Denial of Service attack, and so on - and that is why
they are best thought of as complimentary technologies, at least for
now.

By the way, don't get TOO hung up on terminology - yes, they WERE
originally referred to as Gateway IDS (GIDS) or in-line IDS products -
but providing we ensure that the marketing guys don't dilute the term
(i.e. by referring to every passive IDS or personal firewall as IPS) -
or at least recognise such marketing FUD for what it is - then there is
nothing wrong with the term IPS.

Where it gets interesting is the argument that IPS has nothing to do
with IDS at all - usually put about by those IPS vendors whose signature
set is too small or too prone to false positives to catch the majority
of the common exploits out there... IPS is an evolution of IDS, and has
a whole heap more work to do than an IDS box and thus has to be more
reliable and faster - and thus is likely to be quite a bit more
expensive for a while yet. Think of it as a "security switch", since
once it goes in line it has to behave as much like a switch as it does
like an IDS device - and if the vendor expects the network guys to
accept it as part of their infrastructure then they'd better be pretty
damn sure that it offers minimal latency and maximum resilience. The
passive IDS device can do no serious damage to the network
infrastructure - if it is "noisy" then it is only the IDS admin who
suffers - if it fails, then it causes no network down time. This is not
the case with an in-line device.

And just to round off the definitions, we have Host IPS (HIPS). This
refers to the Entercepts and Okenas of this world - software wrappers
around the OS or critical applications (such as Web servers) that
intercept dodgy system or application function calls and prevent them
from doing any damage.

This is not intended to be an exhaustive definition, but hopefully it
goes some way towards explaining what I think is the most reasonable
point of view.

Now.... Let the marketing guys get on with their job (spin doctors),
ignore everything they have to say, and buy the technology that is most
suitable for your requirements - no matter WHAT they call it  ;o)

Regards,

Bob Walder
Director
The NSS Group

------------------------------------------------------------------------
----------
This message is intended for the addressee only and may contain
information that may be of a privileged or confidential nature. If you
have received this message in error, please notify the sender and
destroy the message immediately. Unauthorised use or reproduction of
this message is strictly prohibited.






-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users