IDS mailing list archives
Re: Intrusion Prevention Systems
From: roy lo <roylo () sr2c com>
Date: Thu, 31 Oct 2002 15:43:40 -0500
I think there is a very important point is missing here, which is the amount of traffic. Chances are Yahoo -US along has more hits to it, than let's say maybe all of citi-group worldwide. And when you have "critical service" + "high traffic" + "24/7 service" that is a complete different story,
then what are you talking about here.The biggest problem with IPS is that it is lacking the "AI" (or logic) to determine false positives. Which is not a big problem in a office env.
Or even a low-middle traffic site.But when you are handle-ing tens of millions concurrent access/traffic, then it is a complete different story.
(try to imagine that IPS "auto-protect" your site every mins or so)Here, let me give a better example, just per say if the chance of having false positive is 1 out of 10 million (this is just some random number) which in a office env. let's say the average access rate for day is a million, which means it will happen once every ten days. But in a large web portal site (like yahoo, google, etc..) they might have 10 million concurrent per second; which means it will happen every second.
The numbers might not be correct (since I made those up), but I think you can see the point I'm trying to make.
Like I have been saying for awhile, current IPS is really lacking the AI (to learn from patterns and so on)
Andrew Plato wrote:
From: Stephen P. Berry [mailto:spb () meshuggeneh net]The way I see it (and by `see' here I mean `grossly simplify for the sake of the argument'), there are two main flavours of machine you might want to protect with one of these gimcracks:-Critical services. I.e., a company's online store or something like that. If this thing goes down, some marketing droid immediately appears in your office/cube, and starts recitingfigures about how the company starts losing nineteen megadoubloonsa fortnight during outages. So this is the stuff you're really worried about.-Random desktops. I.e., everything else. The mean time betweenoutages depends on when the lusers last took their medication, and someone else fields the calls for this stuff.I would agree with your assessment Stephen. However, I think we need todifferentiate Network-based IPS (NIPS) from Host-based IPS (HIPS).I don't think we'll be seeing those acronyms on any marketing brochuresanytime soon. :-)NIPS are usually in-line firewall/IDS hybrids that can defend systems en-masse. HIPS are usually software that can react to funny behavior anddefend the system (usually using some kind of firewall or TCP kill.)I see NIPS products like Guard as "special-use" systems designed to offer a "special" layer of protection to critical systems or systemsthat are prohibitively difficult to individually secure.The examples I like to point out are: 1. Critical mainframes: These systems are often the lifeblood of financial organizations yet lack a lot of security mechanisms as they are complex and use arcane software. An IPS in front of one of these systems can help defend it from random attacks or even snoopingemployees.2. Critical segments: I have one client that has a big bank of Linux clustered machines. These are highly complex system that has a very specific purpose. Due to the complexity of these systems, it is prohibitively difficult to secure each machine individually. Therefore, a Guard unit can be slapped in front of the entire segment and helpdefend the entire cluster.3. Temporary defense: Another usage of IPS is in a temporary defense situation. For example, one customer has a DMZ where they are deploying web applications. They need to test and evaluate the use of these applications across the Internet but fear hacks while those systems are in testing. An IPS can offer a temporary defense layer that can analyzewhat is coming in and help harden those applications from attack.What these products are NOT is a replacement for a firewall or IDS. They are just another option admins can use to help make a network a more resistant and resilient to intrusion. HIPS is a whole different story. In some respects, HIPS is a bit easier to handle and has had more success. Entercept, for example has done quite well with their behavior-based IPS solutions. ISS of course has RealSecure Server Sensor and Desktop Protector which are essentially IPSproducts.Where HIPS goes astray is when people mix up HIPS with the "personal firewall" market. A HIPS product like Entercept is NOT a personal firewall like ZoneAlarm or Tiny. Zone is a big, dumb lock for home users to feel cozy that their DSL isn't being hacked by script kiddies. It isnot an IPS.Now I'm not suggesting that it's worthless or -harmful- to deploy an IPS in such a situation---just that there isn't much to justify the pain and expense of such a deployment. If this is -not- the case, then I'd submit that you've probably made a nonzero number of GCEs in the implementation of your network.There is pain with an IPS installation. But, there is pain ANYTIME you change the dynamics of a network. This is why IPS has to be considered and implemented carefully. But you could say that about any new or emerging technology. Early adopters are going to feel more pain, butthey will also be ahead of the curve.The expense can be justified if you consider that it delivers a level of peace of mind. Although there are always ways to thwart these technologies, they do offer an increased degree of security than if they weren't there at all. That translates into some peace of mind,which...however intangible or questionable...has value.__________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobilewww.anitian.com _______________________________
--Roy Lo Freelance Consultant E-mail - roylo () sr2c com
Sun Certified Network Administrator (SCNA) Sun Certified System Administrator (SCSA)Cisco Certified Network Associate (CCNA)
Current thread:
- Intrusion Prevention Systems Andrew Plato (Oct 28)
- Re: Intrusion Prevention Systems Stephen P. Berry (Oct 30)
- <Possible follow-ups>
- RE: Intrusion Prevention Systems Andrew Plato (Oct 31)
- Re: Intrusion Prevention Systems roy lo (Oct 31)
- Re: Intrusion Prevention Systems roy lo (Oct 31)
- Re: Intrusion Prevention Systems roy lo (Oct 31)