IDS mailing list archives
RE: NIPS Vendors explicit answer
From: "Brian Smith" <bsmith () tippingpoint com>
Date: Sat, 1 May 2004 20:36:48 -0500
Disclaimer first: I work for a vendor (TippingPoint). That being said, I've spent the last couple of years developing testing methodologies for IPSs, so I have at least some strong opinions :-). You should look at the NSS test results: http://www.nss.co.uk/acatalog/Intrusion_Prevention_Systems__IPS_.html To date, this is the only comprehensive independent IPS test that's been done that I'm aware of. The report's $75 to buy and a bargain at that. The purchased report includes the test results, which you'll want. You probably won't be able to fully replicate the NSS test suite (it took a year to develop and two weeks per vendor to run), but a couple of things to check when evaluating these products, especially those that didn't go through NSS (Radware is the only one on your short list). 1) Make sure the product continues to block attacks when simple, off-the-shelf evasion techniques are employed. Some easy to try tools that the hackers all use are fragroute and whisker http://monkey.org/~dugsong/fragroute/ http://www.wiretrip.net/rfp/ The techniques these tools employ are documented at http://www.insecure.org/stf/secnet_ids/secnet_ids.html http://www.wiretrip.net/rfp/txt/whiskerids.html 2) Test the IPS like you would any other network element (switch, router, etc). Measure latency and throughput with different packet sizes and different protocol mixes. It's generally a good idea to test the extremes (all 64 byte packets, all UDP traffic, all ICMP traffic, fragmented traffic, out-of-order TCP traffic, etc) to see how the IPS fairs. Not that you're likely too see all 64 byte packets or all fragmented traffic in a real network, but it'll give you an idea the performance limits of each IPS. 3) Also make sure that the performance is acceptable by testing the device inline in *your* network. Try some simple performance tests (copying files, compiling, ping to measure latency, etc) with and without the IPS to see its effect on performance. If the IPS slows your network to a crawl, that's usually a non-starter. 4) Ask the vendor to explain how their process for releasing updates to the product to protect against new attacks, and how many of their filters protect against recent attacks. As a rule, blocking attacks from 5 years ago isn't as important as blocking attacks from the last couple of months, since you've probably already patched the systems against the older attacks. Detecting old attacks is more of an IDS function that an IPS function. 5) Think about how the product would work in your environment in a worm storm, or other worst-case scenarios. If the management network is virtually down, can you still configure the box to block the attack that's bringing it down? How does HA for the device work? Does it fail open, closed, or is it configurable? Hope this helps! Brian -----Original Message----- From: Melih Kirkgöz (Koç.net) [mailto:melihk () koc net] Sent: Wednesday, April 28, 2004 10:00 AM To: Rob Shein; Frank Knobbe; Vikram Phatak Cc: focus-ids () securityfocus com Subject: RE: NIPS Vendors explicit answer Importance: High Hello Everyone, I am responsible for testing and offering an IPS solution for big networks with high rated throughputs for my company(an ISP) and our customers. As i read these mails flowing around,i said "yes this is the right place to share my opinions". I would rather ask a question outside the theory about IDS-IPS comparision.Right now i am more interested in product comparision becaues of my urgent duty I had the chance to test Radware Defense Pro only as ab inline - IPS product. It seems to be very fast responsive and successfull blocker against DDOS attacks,Synfloods and typical worms and detecting Protocol Anomalies. The other vendors waiting for my tests:) are Netscreen IDP,RealSecure ISS Proventia G200 and Network Associates NAI Intruvert 2600 series. Does any of you know about these products,especially in a competitive way between them? I would appreciate your answers Regards Melih Kirkgöz Network Security Services Koç.net Haberlesme Teknolojileri ve Iletisim Hizmetleri Camlica Is Merkezi B3 Blok Uskudar 81190 Istanbul -TURKEY email: melihk () koc net URL :http://www.koc.net -----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Sent: Tuesday, April 27, 2004 6:39 PM To: 'Frank Knobbe'; 'Vikram Phatak' Cc: focus-ids () securityfocus com Subject: RE: NIPS Vendors explicit answer I can answer this fairly easily. Bruce Schneier, among other people, has been pointing out that the real measure of security is how gracefully it fails. In many large environments (like where I am right now) there can be confusion as to who is responsible for which system; the system in question may go unpatched as a result. When there's an IPS on top of everything, it makes a big difference, because now you have another layer of defense to protect it. At some point, someone is bound to notice that the system isn't patched, but at least it won't be because of some 1337 d00d tearing it up. For a public-facing service this is an entire second layer of protection, where before there was only one. I'd also think that any environment that could tackle the implementation of an IPS correctly would already have patching fairly well in hand. And I doubt they'd stop patching at that point, anyways. Oh, and I second the request for an IPS list. Good idea, Frank!
-----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] Sent: Monday, April 26, 2004 8:04 PM To: Vikram Phatak Cc: focus-ids () securityfocus com Subject: Re: NIPS Vendors explicit answer
<snip>
True. It seems I was focusing on the detection part, not the prevention part. A product that shields existing vulnerabilities from a network does have merit. I think I just question why we need the product. It appears that it would allows us to be more complacent with our networks. Why patch the system when the IPS shields it? There seem to be two sides to the IPS-shielding-the-network approach. I can see where it is useful (especially when running Microsoft products, the latest SSL issue being the perfect example). But at the same time it is only a band-aid until the hosts are patched. Shouldn't we focus our preventative efforts on the hosts? (not dispelling IPS, but we should use it as a substitute for securing systems).
<snip snip> --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- -----Original Message----- From: Melih Kirkgöz (Koç.net) [mailto:melihk () koc net] Sent: Wednesday, April 28, 2004 10:00 AM To: Rob Shein; Frank Knobbe; Vikram Phatak Cc: focus-ids () securityfocus com Subject: RE: NIPS Vendors explicit answer Importance: High Hello Everyone, I am responsible for testing and offering an IPS solution for big networks with high rated throughputs for my company(an ISP) and our customers. As i read these mails flowing around,i said "yes this is the right place to share my opinions". I would rather ask a question outside the theory about IDS-IPS comparision.Right now i am more interested in product comparision becaues of my urgent duty I had the chance to test Radware Defense Pro only as ab inline - IPS product. It seems to be very fast responsive and successfull blocker against DDOS attacks,Synfloods and typical worms and detecting Protocol Anomalies. The other vendors waiting for my tests:) are Netscreen IDP,RealSecure ISS Proventia G200 and Network Associates NAI Intruvert 2600 series. Does any of you know about these products,especially in a competitive way between them? I would appreciate your answers Regards Melih Kirkgöz Network Security Services Koç.net Haberlesme Teknolojileri ve Iletisim Hizmetleri Camlica Is Merkezi B3 Blok Uskudar 81190 Istanbul -TURKEY email: melihk () koc net URL :http://www.koc.net -----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Sent: Tuesday, April 27, 2004 6:39 PM To: 'Frank Knobbe'; 'Vikram Phatak' Cc: focus-ids () securityfocus com Subject: RE: NIPS Vendors explicit answer I can answer this fairly easily. Bruce Schneier, among other people, has been pointing out that the real measure of security is how gracefully it fails. In many large environments (like where I am right now) there can be confusion as to who is responsible for which system; the system in question may go unpatched as a result. When there's an IPS on top of everything, it makes a big difference, because now you have another layer of defense to protect it. At some point, someone is bound to notice that the system isn't patched, but at least it won't be because of some 1337 d00d tearing it up. For a public-facing service this is an entire second layer of protection, where before there was only one. I'd also think that any environment that could tackle the implementation of an IPS correctly would already have patching fairly well in hand. And I doubt they'd stop patching at that point, anyways. Oh, and I second the request for an IPS list. Good idea, Frank!
-----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] Sent: Monday, April 26, 2004 8:04 PM To: Vikram Phatak Cc: focus-ids () securityfocus com Subject: Re: NIPS Vendors explicit answer
<snip>
True. It seems I was focusing on the detection part, not the prevention part. A product that shields existing vulnerabilities from a network does have merit. I think I just question why we need the product. It appears that it would allows us to be more complacent with our networks. Why patch the system when the IPS shields it? There seem to be two sides to the IPS-shielding-the-network approach. I can see where it is useful (especially when running Microsoft products, the latest SSL issue being the perfect example). But at the same time it is only a band-aid until the hosts are patched. Shouldn't we focus our preventative efforts on the hosts? (not dispelling IPS, but we should use it as a substitute for securing systems).
<snip snip> --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: NIPS Vendors explicit answer Jason Haar (May 01)
- RE: NIPS Vendors explicit answer Frank Knobbe (May 02)
- <Possible follow-ups>
- RE: NIPS Vendors explicit answer Brian Smith (May 01)
- RE: NIPS Vendors explicit answer Bob Walder (May 02)