Re: NIPS Vendors explicit answer

[Frank Knobbe <frank () knobbe us>]

On Mon, 2004-04-26 at 18:53, Vikram Phatak wrote:
> There are many reasons for not immediately remediating a vulnerability
> by patching a system - (1) not enough time, (2) it may break an
> application you rely on, (3) not allowed to touch the system until the
> maintenance window, and so on.  As far as focusing on the
> vulnerabilities...  Focusing on the vulnerabilities enables us to
> protect systems until they are patched.  Preventing vulnerabilities
> from being exploited is how we keeps worms and other attacks from
> successfully compromising systems.  If there were no vulnerabilities,
> there would be little need for Intrusion Prevention.

True. It seems I was focusing on the detection part, not the prevention
part. A product that shields existing vulnerabilities from a network
does have merit.

I think I just question why we need the product. It appears that it
would allows us to be more complacent with our networks. Why patch the
system when the IPS shields it? There seem to be two sides to the
IPS-shielding-the-network approach. I can see where it is useful
(especially when running Microsoft products, the latest SSL issue being
the perfect example). But at the same time it is only a band-aid until
the hosts are patched. Shouldn't we focus our preventative efforts on
the hosts?

(not dispelling IPS, but we should use it as a substitute for securing
systems).

> As far as looking the wrong way....  I would argue that some IPS
> vendors that have not reviewed the mission of IPS versus the mission
> of IDS are looking the wrong way :-)  

Is that why Gartner got confused?  ;)

> Why not just disallow outgoing traffic from the web server in your
> firewall?  Besides which by the time you detect this behavior the
> system is already compromised.  How does this approach prevent
> anything from being compromised?

Oh sure, the firewall will hopefully prevent the outbound connection
from the web server. But that is traffic that can (and should) be
detected. The example (as most of my line of thought) was focused on
detection.

To restate my sentiments:
In my opinion, VA related info should be of no concern for an IDS.
However, VA info should be of importance for an IPS.

Network behavior should be of importance to an IDS, as well as a flow-
based IPS. But aren't flow-based IPS's the same like firewalls?

Cheers,
Frank


PS: Moderator. I hereby request the creation of a SecurityFocus-
Intrusion Prevention mail lists... to keep the two beasts apart :)

Attachment: signature.asc
Description: This is a digitally signed message part