Intrusion Prevention Systems

["Andrew Plato" <aplato () anitian com>]

Martin Roesch wrote...

> Don't get me wrong, I'm not saying it's not a good idea, it's an 
> excellent idea.  My point is that the marketing hype that's coming out

> of the IPS vendors at this point is overblown in my opinion and I 
> haven't seen much cautionary introspection applied to the concept yet,

> so I thought I'd chime in.  The deployed base of network intrusion 
> prevention systems in production environments today is very small.   
> While the concept has a lot of merit, it's unproven as yet and there 
> are significant technical hurdles (robustness, capability, etc) as
well 
> as a raft of political hurdles that have not been addressed in any
sort 
> of empirical manner yet with a deployed base of happy users.

I want to respond to a few things you said, Martin. 

1. Intrusion prevention is hardly a "new" thing. I keep hearing people
say how Hogwash
is this amazing new thing. In reality, BlackICE Guard (now called
RealSecure Guard), 
which is the exact same type of product, pre-dates Hogwash and all the
other IPS products
by almost 3 years.  I was building and deploying Guard units when
Hogwash was still 
an interesting idea being discussed on Snort forums. Guard is based on
Network ICE's 
BlackICE which is, as we all know, the core of ISS's RealSecure NIDS. 

I say this not in deference to Hogwash, but to point out that IPS is not
a new idea. You could
even argue that some firewalls, like WatchGuards, have rudimentary IPS
features as 
they can auto-block users who attempt to connect using spoofed IPs or
other known
(albeit lame) hacking tactics. 

2. IPS is hardly a "test lab device" or unproven technology. I have
Guard units deployed 
all over the Pacific Northwest protecting critical mainframes, DMZs, and
even some Linux clusters.
These units are like tanks with practically zero down-time and
exceptional performance. In 
one case, a Guard unit is defending a particular client's credit card
system - and it has 
blocked more script kiddies and hackers than I can well count. It is
integrated with a comprehensive
host-based IDS and some other NIDS and provides exceptional insight and
capability for
this customer. 

3.However, I do agree with you that marketing can often pervert the true
value and capability of 
these systems. ISS and Network ICE have had a hard time positioning and
selling Guard units
because they are difficult to understand and hard to deploy. I have had
success with
them mainly because I sell them as appliance type units and I have
special tweaks to make
them really scream. 

Furthermore, sales folks like to sell these as "all-in-one" high margin,
high-price items.
Ideally, IPS should complement and integrate with a comprehensive IDS
offering and should
never replace or supplant a traditional firewall. 

> Sourcefire *is* working on IPS too, both with things like in-line mode

> operation and firewall interoperability through mechanisms like OPSEC.

> 've seen a lot of people advocating the widespread replacement of IDS 
> with IPS in the last couple months and I think that it's way too early

> to make that leap. 

I agree that you cannot replace IDS with IPS. IPS is best seen as a
"special use" type solution.
I pitch Guard units to companies that have special areas that need
exceptional defense. The
most common application is as a last-defense layer in front of
mainframes or UNIX clusters. 

As for OPSEC interoperability - RealSecure has had this for eons. And
honestly, I don't think I
have ever seen anybody use it. That doesn't mean it doesn't work. But
its hard to implement
unless there is a very organized and well-planned IDS roll-out
methodology used. 

I also have some real reservations about any product automatically
rewriting firewall rules.
Better to have set firewall rules and then build in distributed,
compartmentalized protection
zones behind that firewall. IPS and more firewalls are better suited to
this role than rewriting
firewall rules at the perimeter. 

> Do you think there's a conflict of interest here?  Am I not allowed to

> have reservations about the technology even though I work on it?  A
lot 
> of people would debate the value of having the firewall reconfigured
by 
> a NIDS, but people (like me) who work for companies that have features

> like that as requirements for the market they serve have to work
within 
> the market reality even though they may have reservations about the 
> value of the technology itself.  Would you say that the technology is 
> completely, absolutely ready for prime time in your opinion as an 
> evaluator of the *engineering* pros and cons of such a technology?  

Think?  I KNOW the technology is ready for prime time. I am sitting on a
client base of highly
satisfied customers using and enjoying the benefits on IPS devices.
We've caught everything
from nosy users to corrupt software at a HUGE national financial company
with these devices.

However, IPS isn't for the faint of heart. It is a tough implementation.
The tuning and use of such
systems can be very dicey. And most people fall apart at the first
dropped packet. There is a
challenging integration process, but done slowly and done properly, it
can work. And this isn't
theory I am spouting here, this is my own personal experience. 

> Can 
> you speak to those?  I notice you guys at Latis use Snort as your 
> supported IDS technology, how does your integrated solution fare when 
> Snort has gone into self-preservation mode due to its memory cap being

> hit in its stateful inspection subsystems?  How about in the same 
> situation for the IP defragmentation subsystem?  Does it dynamically 
> reallocate the memcap based on the available free memory on the system

> or does it thrash?  We had to get to *extremely* high loads in our
test 
> lab traffic generators (~1M concurrent sessions) on our gigabit
product 
> before we saw the degenerate thrashing situation Snort would descend 
> into when the memory caps were hit.  How are you guys handling that?

I'll be honest, I had a very hard time getting a Hogwash system to work
at all. However, I will
admit that I am irreparably biased by my BlackICE experience. So, when
things
don't look like BlackICE, I get itchy. I spent a good week or more
trying to get the
system running. When I did, I loaded up the segment (a fully switched
10/100 segment) to 
about 75% utilization and my unit was really struggling to keep up. My
tests were hardly
scientific or reliable since I was mostly just playing with the system. 

However, Guard systems I use have no problem handing fairly heavily
loaded 100 Mbps
segments. Gigabit guard is possible using load balancers. You can run
multiple Guards 
through a TopLayer IDS balancer and then achieve a true Gigabit Guard
unit. So far there is 
no single Gigabit Guard solution. 

> I say it's not 100% ready for prime time because it hasn't been 
> deployed widely enough to have any sort of empirical evidence that it 
> is and in my opinion as an *engineer* the case still has to be made.  
> Once there are a few thousand NIPSes out there saving the bacon of 
> large enterprises and that can be documented, I'll be a lot more 
> impressed.  When Sourcefire finally releases a solution it'll be the 
> best technology that we can come up with (given all the usual 
> constraints) and hopefully it'll be ready for prime time, but we'll 
> need to see successful deployments of it before I'm going to convert
to 
> being an IPS advocate.

Well, if you need to see some successful IPS deployments, come out to
Seattle or Portland and
I would be happy to walk you through one of our Guard deployments (with
the customer's
approval of course) and show you how they're working. 

One of my Guard units has been on-line consistently since March of 2000
with only occasional
reboots and software updates. 

Okay - I know what you're thinking. "Oh, you're just a vendor of these
things and you'll say anything
to sell them," Sure, I want to sell them. I need to pay a mortgage just
like everybody. 
However, unlike most resellers who just shove products at their
customers and mindlessly 
bark marketing propaganda, my firm has always tried to sell stuff we
KNEW
worked. Its why I won't sell some unnamed technologies. I know they
won't work and I know
they are BS. (Besides, I sell, or at least try to sell, SourceFire!)
Guard's work, and I can 
prove it. Not with marketing BS, but real-world trials. 

Lastly, I think its great you are openly questioning these technologies.
They deserve questioning
and debate. Its a testament to Sourcefire and yourself that you can
appreciate market desires 
but also strive to openly discuss their real value. If more security
firms were more open about
their ideas and theories for technologies, they might be able to forge
better technologies overall
and ultimately satisfy market desires more appropriately. 

Andrew Plato, CISSP 
President / Principal Consultant
Anitian Corporation
www.anitian.com