RE: Intrusion Prevention Systems - New Generation (new technologi es)

[Avi Chesla <avic () V-Secure com>]

Most of the current intrusion detection techniques/technologies are not
suitable to most of the existing attacks. System need to be dynamic in
nature in order to detect and prevent from dynamics attacks. This means that
those prevention systems must have the following technological capabilities:

1. Real-Time ADAPTIVE algorithms in order to automatic self tune thresholds
and by that avoid false positive or miss detection algorithms
2. Deterministic and FUZZY detection algorithms in order to cover all today
network and application level attacks
3. Advanced BEHAVIORAL ANALYSIS algorithms (such as spectral behavioral
analysis)
4. Support some kind of automatic FEED BACK mechanism that will provide
justification for continue with the chosen prevention method or to change
it. A good feedback mechanism like that will help to decrease the false
positive decisions, which also means that legitimate users will not be hurt
5. In-line product - In order to have all possible prevention capabilities
with fast response
6. Dedicated hardware - obvious

These kinds of capabilities will provide good IPS. I think that when we say
"next generation intrusion detection systems" we mean new technology like
mentioned above.
Most will agree that the above algorithms/technologies are currently not
supported in the traditional IDS and also not in most of the new product
claimed to belong to the next generation products.

Of course it will take time to adopt such product but it will happen
eventually


I think that vendors that really belong to that category are: 

Intruvert : www.intruvert.com

Vsecure Technologies: www.v-secure.com  

Tipping Point: www.tippingpoint.com

And very few more

Chesla



-----Original Message-----
From: shannong [mailto:shannong () texas net] 
Sent: Tuesday, November 05, 2002 4:33 AM
To: focus-ids () securityfocus com
Subject: RE: Intrusion Prevention Systems


A more legitimate name would be Intrusion Mitigation Systems. Surely, none
of us operate under the guise that any of these systems can prevent
intrusion to a system/network.  Rather, they can stop the easy, obvious
ones.

It seems were calling an reactive IDS and IPS.  With that in mind,the
techonology is definitely immature and unproven especially with respect to
network based solutions.  The problem isn't the reactive measures that
"prevent intrusions", but rather it's the IDS engine that runs behind it
that is the problem.  I still consider IDS an immature technology.  

Stopping something known to be "bad" is fairly "easy" with alogrithms and
heuristics. The hard part is determing what's "bad".  IDSs are not very
effective at this yet.  False positives make up a major part of the IDS
events on any system I've seen.  Sure, you can tune over a long period of
time, but you'll still spend hours a day if you track down every alert.
"Over tune", and you'll miss real events worth investigating. It is very
easy to generate undesirable responses from reactive IDS solutions using
spoofing, etc. to block legitimate traffic.

If an organization considers the risk of preventing legitimate traffic
acceptable, then an IPS is worth looking into. 

Most thoughts here are shared with a network based solution in mind. Host
based IPS solutions are more palatable because they represent less threat to
preventing legitimate traffic.  Or at least limit the problem to a single
host rather than to an entire network at large.

-Shannon

-----Original Message-----
From: Andrew Plato [mailto:aplato () anitian com] 
Sent: Monday, October 28, 2002 11:40 AM
To: focus-ids () securityfocus com
Cc: roesch () sourcefire com
Subject: Intrusion Prevention Systems


Martin Roesch wrote...

> Don't get me wrong, I'm not saying it's not a good idea, it's an
> excellent idea.  My point is that the marketing hype that's coming out

> of the IPS vendors at this point is overblown in my opinion and I
> haven't seen much cautionary introspection applied to the concept yet,

> so I thought I'd chime in.  The deployed base of network intrusion 
> prevention systems in production environments today is very small.   
> While the concept has a lot of merit, it's unproven as yet and there
> are significant technical hurdles (robustness, capability, etc) as
well 
> as a raft of political hurdles that have not been addressed in any
sort 
> of empirical manner yet with a deployed base of happy users.

I want to respond to a few things you said, Martin. 

1. Intrusion prevention is hardly a "new" thing. I keep hearing people say
how Hogwash is this amazing new thing. In reality, BlackICE Guard (now
called RealSecure Guard), 
which is the exact same type of product, pre-dates Hogwash and all the other
IPS products by almost 3 years.  I was building and deploying Guard units
when Hogwash was still 
an interesting idea being discussed on Snort forums. Guard is based on
Network ICE's 
BlackICE which is, as we all know, the core of ISS's RealSecure NIDS. 

I say this not in deference to Hogwash, but to point out that IPS is not a
new idea. You could even argue that some firewalls, like WatchGuards, have
rudimentary IPS features as 
they can auto-block users who attempt to connect using spoofed IPs or other
known (albeit lame) hacking tactics. 

2. IPS is hardly a "test lab device" or unproven technology. I have Guard
units deployed 
all over the Pacific Northwest protecting critical mainframes, DMZs, and
even some Linux clusters. These units are like tanks with practically zero
down-time and exceptional performance. In 
one case, a Guard unit is defending a particular client's credit card system
- and it has 
blocked more script kiddies and hackers than I can well count. It is
integrated with a comprehensive host-based IDS and some other NIDS and
provides exceptional insight and capability for this customer. 

3.However, I do agree with you that marketing can often pervert the true
value and capability of 
these systems. ISS and Network ICE have had a hard time positioning and
selling Guard units because they are difficult to understand and hard to
deploy. I have had success with them mainly because I sell them as appliance
type units and I have special tweaks to make them really scream. 

Furthermore, sales folks like to sell these as "all-in-one" high margin,
high-price items. Ideally, IPS should complement and integrate with a
comprehensive IDS offering and should never replace or supplant a
traditional firewall. 

> Sourcefire *is* working on IPS too, both with things like in-line mode

> operation and firewall interoperability through mechanisms like OPSEC.

> 've seen a lot of people advocating the widespread replacement of IDS
> with IPS in the last couple months and I think that it's way too early

> to make that leap.

I agree that you cannot replace IDS with IPS. IPS is best seen as a "special
use" type solution. I pitch Guard units to companies that have special areas
that need exceptional defense. The most common application is as a
last-defense layer in front of mainframes or UNIX clusters. 

As for OPSEC interoperability - RealSecure has had this for eons. And
honestly, I don't think I have ever seen anybody use it. That doesn't mean
it doesn't work. But its hard to implement unless there is a very organized
and well-planned IDS roll-out methodology used. 

I also have some real reservations about any product automatically rewriting
firewall rules. Better to have set firewall rules and then build in
distributed, compartmentalized protection zones behind that firewall. IPS
and more firewalls are better suited to this role than rewriting firewall
rules at the perimeter. 

> Do you think there's a conflict of interest here?  Am I not allowed to

> have reservations about the technology even though I work on it?  A
lot 
> of people would debate the value of having the firewall reconfigured
by 
> a NIDS, but people (like me) who work for companies that have features

> like that as requirements for the market they serve have to work
within 
> the market reality even though they may have reservations about the
> value of the technology itself.  Would you say that the technology is 
> completely, absolutely ready for prime time in your opinion as an 
> evaluator of the *engineering* pros and cons of such a technology?

Think?  I KNOW the technology is ready for prime time. I am sitting on a
client base of highly satisfied customers using and enjoying the benefits on
IPS devices. We've caught everything from nosy users to corrupt software at
a HUGE national financial company with these devices.

However, IPS isn't for the faint of heart. It is a tough implementation. The
tuning and use of such systems can be very dicey. And most people fall apart
at the first dropped packet. There is a challenging integration process, but
done slowly and done properly, it can work. And this isn't theory I am
spouting here, this is my own personal experience. 

> Can
> you speak to those?  I notice you guys at Latis use Snort as your 
> supported IDS technology, how does your integrated solution fare when 
> Snort has gone into self-preservation mode due to its memory cap being

> hit in its stateful inspection subsystems?  How about in the same
> situation for the IP defragmentation subsystem?  Does it dynamically 
> reallocate the memcap based on the available free memory on the system

> or does it thrash?  We had to get to *extremely* high loads in our
test 
> lab traffic generators (~1M concurrent sessions) on our gigabit
product 
> before we saw the degenerate thrashing situation Snort would descend
> into when the memory caps were hit.  How are you guys handling that?

I'll be honest, I had a very hard time getting a Hogwash system to work at
all. However, I will admit that I am irreparably biased by my BlackICE
experience. So, when things don't look like BlackICE, I get itchy. I spent a
good week or more trying to get the system running. When I did, I loaded up
the segment (a fully switched 10/100 segment) to

about 75% utilization and my unit was really struggling to keep up. My tests
were hardly scientific or reliable since I was mostly just playing with the
system. 

However, Guard systems I use have no problem handing fairly heavily loaded
100 Mbps segments. Gigabit guard is possible using load balancers. You can
run multiple Guards 
through a TopLayer IDS balancer and then achieve a true Gigabit Guard unit.
So far there is 
no single Gigabit Guard solution. 

> I say it's not 100% ready for prime time because it hasn't been
> deployed widely enough to have any sort of empirical evidence that it 
> is and in my opinion as an *engineer* the case still has to be made.
> Once there are a few thousand NIPSes out there saving the bacon of 
> large enterprises and that can be documented, I'll be a lot more 
> impressed.  When Sourcefire finally releases a solution it'll be the 
> best technology that we can come up with (given all the usual 
> constraints) and hopefully it'll be ready for prime time, but we'll 
> need to see successful deployments of it before I'm going to convert
to 
> being an IPS advocate.

Well, if you need to see some successful IPS deployments, come out to
Seattle or Portland and I would be happy to walk you through one of our
Guard deployments (with the customer's approval of course) and show you how
they're working. 

One of my Guard units has been on-line consistently since March of 2000 with
only occasional reboots and software updates. 

Okay - I know what you're thinking. "Oh, you're just a vendor of these
things and you'll say anything to sell them," Sure, I want to sell them. I
need to pay a mortgage just like everybody. 
However, unlike most resellers who just shove products at their customers
and mindlessly 
bark marketing propaganda, my firm has always tried to sell stuff we KNEW
worked. Its why I won't sell some unnamed technologies. I know they won't
work and I know they are BS. (Besides, I sell, or at least try to sell,
SourceFire!) Guard's work, and I can 
prove it. Not with marketing BS, but real-world trials. 

Lastly, I think its great you are openly questioning these technologies.
They deserve questioning and debate. Its a testament to Sourcefire and
yourself that you can appreciate market desires 
but also strive to openly discuss their real value. If more security firms
were more open about their ideas and theories for technologies, they might
be able to forge better technologies overall and ultimately satisfy market
desires more appropriately. 

Andrew Plato, CISSP 
President / Principal Consultant
Anitian Corporation
www.anitian.com

 
*** eSafe scanned this email for malicious content ***
*** IMPORTANT: Do not open attachments from unrecognized senders  ***