IDS mailing list archives

Re: amount of alarms generated by IDS

From: Jason <security () brvenik com>
Date: Wed, 12 May 2004 09:44:02 -0400

Thank you for the examples Dennis, I am still not convinced that an IPSprovided value otherwise not available. My comments are inline.


Dennis Cox wrote:

Jason,
I had to take you up on your offer. Here's a recent example we heardback from a customer.
A large cable company that provides Broadband Internet access usessoftware to monitor and provide troubleshooting support forsubscribers. When their DNS server changed the software caused aterrible traffic problem with a large number of DNS requests. Using ourIPS they were able to do two things: One Traffic Thresholds gave themthe ability to detect and act on by blocking or rate shaping(administrators choice) the abnormal traffic. The threshold detected alarge amount of DNS traffic of a certain type and limited DNS trafficof this type to a preset amount (10 percent of total bandwidth - it waseating up over 70 percent). They were able to write a filter for thistraffic and install it in the IPS' to remove the traffic in the end. Agood example of zero day protection.

This is also a great example of how a good firewall / proxy solutionwould have been appropriate had it been deployed properly, using a goodfirewall the DNS traffic would have been rate limited already by policy.The firewall/proxy also would have normalized this DNS traffic or deniedit based on spec, it could have also acted as a DNS cache serverreducing total load on the actual DNS server and balancing itappropriately. I fail to see how an attack was blocked and how the IPSprovided value over existing firewall technology.

Another example of how an IPS can protect you is by bad networkequipment. A Sun Server had a bad ethernet cable that was creatingmalformed packets that would knock out the ********** firewall. Itbasically created an ISIC attack in it's own way. An IPS was installedand the firewall was fine. The customer however noted that he was stilldropping lots of traffic. Sure enough the IPS was dropped the invalidethernet frames and notifying them. He investigated - replaced theethernet cable and problem solved.


I am shocked ;-) Was the firewall and host OS fully patched?

This happens all of the time. A good firewall properly configured wouldhave survived an ISIC test [1] ( that is what it was initially designedfor IIRC ) and not had a failure requiring the IPS. In addition, a goodnetwork management infrastructure would have alerted the administratorto a high number of errors on the switch and router interfaces providinga much faster time to resolution. I still do not see how the IPS addedvalue over a good firewall / proxy deployment and solid patch management.

So in both these cases an IPS was able to detect "wacky" networkconditions and protect the network (or help diagnose - depends on yourpoint of view). Your statement regarding patching is true - it's areally good idea. However, what do you do when a patch comes out andyou need to install it on 30,000 machines before the attack comes out(sometimes the next day)? Or if your a University - how do you patchmachines that aren't yours?

Unfortunately the inline device can only help at the border and a goodfirewall will already do that, name a single worm of late that wouldhave made it past a properly deployed and configured firewall / proxycombination that could not have been mitigated trivially at the samepoint in the network. I still maintain my statement from the last mail.

"short of nuisance control and containment of segmented networks it haslittle value over the same resources applied to reducing overall risk.Every place you would deploy an IPS is a perfect place for a goodfirewall. $ for $ yen for yen proactive security and patch managementwill get much more bang for the buck."

This topic historically goes on and on without end, I would like to stayon topic and in the context of the stated value of IPS and that isblocking attacks. Anything else simply validates that an IPS is nothingmore than a firewall with different messaging as is the case with thisexample.

To that end I am still looking for examples of any case where an inlineIPS blocked an attack that would not have been blocked or mitigatedotherwise by a good firewall solution and patching or mitigating a knownvulnerability.



[1] - http://www.packetfactory.net/Projects/ISIC/


---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

RE: amount of alarms generated by IDS, (continued)
- - RE: amount of alarms generated by IDS Shawn (May 06)
    - RE: amount of alarms generated by IDS Ravishankar Ithal (May 07)
- RE: amount of alarms generated by IDS Harper, Patrick (May 06)
- Re: amount of alarms generated by IDS Bhargav Bhikkaji (May 10)
  - Re: amount of alarms generated by IDS Ravishankar Ithal (May 10)
    - RE: amount of alarms generated by IDS Rob Shein (May 11)
    - RE: amount of alarms generated by IDS Ravishankar Ithal (May 12)
    - RE: amount of alarms generated by IDS Rob Shein (May 11)
    - Re: amount of alarms generated by IDS Jason (May 11)
    - Re: amount of alarms generated by IDS Dennis Cox (May 11)
    - Re: amount of alarms generated by IDS Jason (May 13)
    - RE: amount of alarms generated by IDS Frank Knobbe (May 11)
    - Hi, I want to study IPS cto (May 11)
    - RE: Hi, I want to study IPS Shawn (May 13)
  - Re: amount of alarms generated by IDS Andy Cuff (May 11)
- RE: amount of alarms generated by IDS Runion Mark A FGA DOIM WEBMASTER(ctr) (May 11)
- RE: amount of alarms generated by IDS Wozny, Scott (US - New York) (May 13)
  - Re: amount of alarms generated by IDS nick black (May 14)
    - Re: amount of alarms generated by IDS Stefano Zanero (May 22)
    - Re: amount of alarms generated by IDS nick black (May 25)