Re: Intrusion Prevention Systems

[roy lo <roylo () sr2c com>]

I think there is a very important point is missing here, which is the 
amount of traffic.
Chances are Yahoo -US along has more hits to it, than let's say maybe 
all of citi-group worldwide.
And when you have "critical service" + "high traffic" + "24/7 service" 
that is a complete different story,
then what are you talking about here.

The biggest problem with IPS is that it is lacking the "AI" (or logic) 
to determine false positives. Which is not a big problem in a office env.
Or even a low-middle traffic site.
But when you are handle-ing tens of millions concurrent access/traffic, 
then it is a complete different story.
(try to imagine that IPS "auto-protect" your site every mins or so)

Here, let me give a better example, just per say if the chance of having 
false positive is 1 out of 10 million (this is just some random number)
which in a office env. let's say the average access rate for day is a 
million, which means it will happen once every ten days.
But in a large web portal site (like yahoo, google, etc..) they might 
have 10 million concurrent per second; which means it will happen every 
second.

The numbers might not be correct (since I made those up), but I think 
you can see the point I'm trying to make.

Like I have been saying for awhile, current IPS is really lacking the AI 
(to learn from patterns and so on)


Andrew Plato wrote:

> > From: Stephen P. Berry [mailto:spb () meshuggeneh net] 
> >    
>
>  
>
> > The way I see it (and by `see' here I mean `grossly simplify 
> > for the sake of the argument'), there are two main flavours 
> > of machine you might want to protect with one of these gimcracks:
> >
> >         -Critical services.  I.e., a company's online store or something
> >          like that.  If this thing goes down, some marketing droid
> >          immediately appears in your office/cube, and starts reciting
> > 	 figures about how the company starts losing nineteen 
> > megadoubloons
> >          a fortnight during outages.  So this is the stuff you're really
> >          worried about.
> >        -Random desktops.  I.e., everything else.  The mean 
> > time between
> >          outages depends on when the lusers last took their medication,
> >          and someone else fields the calls for this stuff.
> >    
>
> I would agree with your assessment Stephen. However, I think we need to
> differentiate Network-based IPS (NIPS) from Host-based IPS (HIPS). 
>
> I don't think we'll be seeing those acronyms on any marketing brochures
> anytime soon. :-) 
>
> NIPS are usually in-line firewall/IDS hybrids that can defend systems
> en-masse. HIPS are usually software that can react to funny behavior and
> defend the system (usually using some kind of firewall or TCP kill.)  
>
> I see NIPS products like Guard as "special-use" systems designed to
> offer a "special" layer of protection to critical systems or systems
> that are prohibitively difficult to individually secure. 
>
> The examples I like to point out are:
>
> 1. Critical mainframes: These systems are often the lifeblood of
> financial organizations yet lack a lot of security mechanisms as they
> are complex and use arcane software. An IPS in front of one of these
> systems can help defend it from random attacks or even snooping
> employees. 
>
> 2. Critical segments: I have one client that has a big bank of Linux
> clustered machines. These are highly complex system that has a very
> specific purpose. Due to the complexity of these systems, it is
> prohibitively difficult to secure each machine individually. Therefore,
> a Guard unit can be slapped in front of the entire segment and help
> defend the entire cluster. 
>
> 3. Temporary defense: Another usage of IPS is in a temporary defense
> situation. For example, one customer has a DMZ where they are deploying
> web applications. They need to test and evaluate the use of these
> applications across the Internet but fear hacks while those systems are
> in testing. An IPS can offer a temporary defense layer that can analyze
> what is coming in and help harden those applications from attack. 
>
> What these products are NOT is a replacement for a firewall or IDS. They
> are just another option admins can use to help make a network a more
> resistant and resilient to intrusion.
>
> HIPS is a whole different story. In some respects, HIPS is a bit easier
> to handle and has had more success. Entercept, for example has done
> quite well with their behavior-based IPS solutions. ISS of course has
> RealSecure Server Sensor and Desktop Protector which are essentially IPS
> products. 
>
> Where HIPS goes astray is when people mix up HIPS with the "personal
> firewall" market. A HIPS product like Entercept is NOT a personal
> firewall like ZoneAlarm or Tiny. Zone is a big, dumb lock for home users
> to feel cozy that their DSL isn't being hacked by script kiddies. It is
> not an IPS. 
>
>  
>
> > Now I'm not suggesting that it's worthless or -harmful- to 
> > deploy an IPS in such a situation---just that there isn't 
> > much to justify the pain and expense of such a deployment.  
> > If this is -not- the case, then I'd submit that you've 
> > probably made a nonzero number of GCEs in the implementation 
> > of your network.
> >    
>
> There is pain with an IPS installation. But, there is pain ANYTIME you
> change the dynamics of a network. This is why IPS has to be considered
> and implemented carefully. But you could say that about any new or
> emerging technology. Early adopters are going to feel more pain, but
> they will also be ahead of the curve.  
>
> The expense can be justified if you consider that it delivers a level of
> peace of mind. Although there are always ways to thwart these
> technologies, they do offer an increased degree of security than if they
> weren't there at all. That translates into some peace of mind,
> which...however intangible or questionable...has value. 
>
> __________________________________
> Andrew Plato, CISSP
> President / Principal Consultant
> Anitian Corporation
>
> 503-644-5656 Office
> 503-644-8574 Fax
> 503-201-0821 Mobile
> www.anitian.com 
> _______________________________
>
>
>  


--
Roy Lo  
Freelance Consultant 
E-mail -  roylo () sr2c com


Sun Certified Network Administrator (SCNA)
Sun Certified System Administrator (SCSA)
Cisco Certified Network Associate (CCNA)