IDS mailing list archives
Re: Can Of Worms - Attack Mitigation Systems vs. Network IPS
From: Joel Snyder <Joel.Snyder () Opus1 COM>
Date: Thu, 29 Jan 2004 20:13:49 -0700
Hmmm. Well, I just handed in a huge story to Network World, comparing 11 of these products, and I also divided them into "rate based" IPS (i.e., things which tend to not look at content very much) and "content based" IPS.
The problem with those characterizations is that there are products which do a little of both. For example, Top Layer is an outstanding rate-based IPS, but it also does content-based IPS. Tipping Point is an outstanding content-based IPS, but it also does rate-based IPS. (These are not the only examples, just two which come to mine easily). And BOTH types of IPS do the same protocol anomaly stuff---it is easy to detect malformed TCP packets and LAND attacks, no matter what your area of specialty. So both content-based and rate-based are also anomaly-detecting. (this is why calling content-based IPS "signature-based" IPS is very incorrect)
I believe that, over time, the good IPS products will tend to include both technologies as they understand them better.
It is also, I believe, a severe mis-characterization to call every content-based IPS an "IDS with the IPS bit set." For example, Check Point's InterSpect IPS (a very content-oriented IPS) would never do as an IDS; it's just not in its heritage. The reason that this statement is made is that IDS companies are ideally suited to do content-based IPS, ergo there are many IPS which *are* IDS with IPS functionality added. ISS is the most obvious example which comes to mind.
What will happen in the long run is IPS technology will be incorporated into all sorts of products. I realize that there's a lot of incentive to try and pigeonhole products (Gartner specializes in that sort of destructive characterization), but it seems better to consider products against a 2-space or 3-space of features and functions and place them there: firewall-ish, or content-based IPS-ish, or rate-based IPS-ish, for example. This way we avoid putting products where they don't belong or unfairly comparing products which aren't really designed with the same goals in mind.
jms Andy Cuff wrote:
Hi Folks, Please pardon the above pun but this is another of those IDS terminology issues that I'd like to thrash out to understand what the members of this list think. Intrusion Prevention Systems are certainly the current flavor of the month, Gartner's death of IDS has added to the marketing fervor for vendors to have an IPS in their stable of products. But what products fit into the category? There seems to be an ever increasing number of DOS/Attack Mitigation Systems that are labelling themselves as IPS, therefore after some offlist consultation I'd like to see what list members feel about this statement that was passed to me by a kind-hearted individual last week The main definition between NIPS and Mitigators would be Mitigators are designed to do one specific job - detect and mitigate against DOS/DDOS attacks and bilateral effects of worm activity. NIPS are designed to detect malicious traffic and drop the packet/stream. NIPS are not always necessarily good at mitigating DOS/DDOS attacks. Mitigators generally do not have the signature coverage to provide good NIPS functionality. NIPS are like IDS but in-line. Mitigators are like firewalls but designed to detect and prevent DOS attacks rather than enforce policy. I have moved many of the attack mitigators from my list of IPS at http://www.securitywizardry.com/inline.htm to a new Attack Mitigation System page at http://www.securitywizardry.com/idsdosmit.htm of which I currently have 12 products listed Thanks for any time you can devote to this cause. take care -andy Talisker Security Tools Directory http://www.securitywizardry.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------
-- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) jms () Opus1 COM http://www.opus1.com/jms Opus One --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Can Of Worms - Attack Mitigation Systems vs. Network IPS Andy Cuff (Jan 29)
- Re: Can Of Worms - Attack Mitigation Systems vs. Network IPS Joel Snyder (Jan 29)
- Re: Can Of Worms - Attack Mitigation Systems vs. Network IPS Andy Cuff (Jan 30)
- <Possible follow-ups>
- RE: Can Of Worms - Attack Mitigation Systems vs. Network IPS Bob Walder (Jan 30)
- Re: Can Of Worms - Attack Mitigation Systems vs. Network IPS Joel Snyder (Jan 29)