Snort mailing list archives
Re: Re: [Snort-devel] IDS vs IPS
From: Jason <security () brvenik com>
Date: Wed, 27 Aug 2003 19:36:38 -0400
my $.02 AU Bob Walder wrote:
I would someone on this list to actually define Intrusion Prevention System (IPS).OK..... My 0.02 worth is that a Network IPS (NIPS) is a device with two interfaces that operates in-line to detect suspicious traffic and INSTANTLY discard the offending packet and the rest of the suspicious flow.
What we have here is a definition of an IPS that matches pretty closely what firewalls have been able to do for some time. There are packet _inspecting_ firewalls and proxy based firewalls, both of these can drop or block the offending traffic. An IPS as defined above can even be certain types of routers. These are completely different than the "Monitoring" devices designed to observe, they are "Control" devices designed to enforce. I think that lumping in these "new" products with the "Intrusion" category is an injustice to the many capable firewalls and routing products that have been available for so many years and already performing this function.
IDS, NIDS and HIDS are well-enough defined already, and NO passive IDS device could possibly be described as IPS - even with so-called "active response mechanisms" (i.e. sending TCP resets or ICMP unreachable packets, or reconfiguring a firewall). Given a fast enough connection, by the time the so-called "active response" has been triggered, the payload has been delivered - it is too late!
This here be religion if you ask me. The mere presence of an IDS without any active element can be classified as an IPS. Now before we go jumping around and hootin and hollerin consider this. You have a flexible IDS that you can create your own signatures for. The signatures you create are designed to verify the firewall policies that are supposed to be in place. Any deviation from this policy is unknown to the environment and should be mitigated or made known. Now one might say that the IPS is designed for this, you would be correct. The firewall in place is designed for this and the people problem most likely caused there to be an unknown threat allowing the bypass of the firewall. This same problem still exists for the new breed of firewall. You ask how the IDS has performed an IPS role? It has done this by alerting your security staff to a situation that needs attention before that situation can ever be used to launch an attack. Key to this is the use of the "S" or system. Maybe the branding should be IPD for Intrusion Prevention Device. Since this device is supposed to prevent can you sue if it fails to prevent an intrusion?
By operating in-line, an effective IPS device can drop the offending packet immediately BEFORE it gets chance to wreak its havoc, and once the flow has been marked as suspicious, the rest of that flow can be handled with very little additional overhead. Of course, in-line devices bring with them their own problems - increased latency, the possibility of false positives wreaking their own special kind of Denial of Service attack, and so on - and that is why they are best thought of as complimentary technologies, at least for now.
Does anyone know how the dropped packet(s) that are part of anestablished session get handled on the server side of the connection? This could be my ignorance of how the latest inline devices work, I've not had a chance to play with them myself. Some of the questions that I have are.
What if the dropped packet thwarts the attack but leaves the session open? Will the end server be subjected to a DoS by filling state tables? What about the mass DoS of services because the IP device sends a reset to mitigate this state problem? What data corruption can the connection being aborted cause? What if the suspect packet was in the middle of a database transaction? What if the sanitized packet ( another way to mitigate the state problems ) causes the server to respond with different data? Does this create liability issues for the business? What if that data is customer data? What if it is your bank account balance being reported as 0? What if it is used to drop a connection for a protocol designed to re establish? Imagine the use of these firewalls to drop packets that are part of a mail message, the mail server can sit and wait for the rest of the data. This data never arrives and the connection times out so the sending server assumes a problem and queues up the message to send again. Wash, Rinse, Repeat. You have created a DoS for both systems.
By the way, don't get TOO hung up on terminology - yes, they WERE originally referred to as Gateway IDS (GIDS) or in-line IDS products - but providing we ensure that the marketing guys don't dilute the term (i.e. by referring to every passive IDS or personal firewall as IPS) - or at least recognise such marketing FUD for what it is - then there is nothing wrong with the term IPS.
I have to disagree here. I think the "I" in IPS implies absolute scrutiny of the data seen and when the "PS" is in doubt it can either block or raise the issue for further inspection. If you do this then what you really have is a gateway IDS.
Where it gets interesting is the argument that IPS has nothing to do with IDS at all - usually put about by those IPS vendors whose signature set is too small or too prone to false positives to catch the majority of the common exploits out there... IPS is an evolution of IDS, and has
IPS is an evolution of the firewall, a rebranding of existing technology in an attempt to capitalize on the security fear present today.
a whole heap more work to do than an IDS box and thus has to be more reliable and faster - and thus is likely to be quite a bit more expensive for a while yet. Think of it as a "security switch", since once it goes in line it has to behave as much like a switch as it does like an IDS device - and if the vendor expects the network guys to
It has to behave like a firewall not an IDS. Throw up a cluster of CP NG and you have just that all the way into multi gigabit speeds with VPN and proxies to boot.
accept it as part of their infrastructure then they'd better be pretty damn sure that it offers minimal latency and maximum resilience. The passive IDS device can do no serious damage to the network infrastructure - if it is "noisy" then it is only the IDS admin who suffers - if it fails, then it causes no network down time. This is not the case with an in-line device.
You also have the failure case where the IPS fails open, that is it passes all traffic like a failed tap. You had better hope that there is a good firewall there and a good IDS to back you up.
And just to round off the definitions, we have Host IPS (HIPS). This refers to the Entercepts and Okenas of this world - software wrappers around the OS or critical applications (such as Web servers) that intercept dodgy system or application function calls and prevent them from doing any damage. This is not intended to be an exhaustive definition, but hopefully it goes some way towards explaining what I think is the most reasonable point of view. Now.... Let the marketing guys get on with their job (spin doctors), ignore everything they have to say, and buy the technology that is most suitable for your requirements - no matter WHAT they call it ;o)
The definition given above of an IPS plays right into this spin doctoring. I think it is important remember that the new definition called IPS is the same as the capabilities of modern firewalls and it is nothing new, the same problems that have prevented wide usage in the firewall space still plague the inline devices and then some extras have been added. The phrase "Trust but verify" comes to mind here.
Regards, Bob Walder Director The NSS Group
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 22)
- <Possible follow-ups>
- RE: [Snort-devel] IDS vs IPS Robert Wagner (Aug 22)
- RE: RE: [Snort-devel] IDS vs IPS Tom Van Overbeke (Aug 22)
- RE: Re: [Snort-devel] IDS vs IPS Bob Walder (Aug 22)
- RE: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 22)
- Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Stevo (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS twig les (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 28)
- Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 27)