IDS mailing list archives
RE: amount of alarms generated by IDS
From: "Wozny, Scott (US - New York)" <swozny () deloitte com>
Date: Thu, 13 May 2004 17:47:38 -0400
My 2 cents is that "IPS" is an interim product set we won't be seeing in a couple of years. Inline IDS exists, it's just what you call your IPS when you don't configure it to drop anything and just log events. :) While the anomaly component of IDS is an interesting I don't know any network managers that would be willing to start dropping packets just because the pattern of their traffic is different today compared to what it was yesterday. So some of the IPS signatures are no losers as long as they're dropping TCP packets that can't have their SIP spoofed. So what, exactly, does all this buy the enterprise that a true Layer-7 firewall can't provide? I can't think of anything off the top of my head. It didn't happen before because non-ASIC based hardware could just barely keep up with L2-4 filtering while maintaining state awareness. The silicon is getting better and faster and able to look deeper into the packet so that time will come soon. The question is will the IPS vendors usurp the firewall vendors or will the firewall vendors start building the right boxes and drive the IPS vendors out of business. I'm not a betting man. IDS will eventually return to being an advanced logging and correlation tool. Successful security systems don't work unless they have both detective and preventative measures. Those detective measures work best when they're not part of the data path (i.e. IDS logs (when tuned) are more effective for enhancing security than firewall logs on a device that's in the data path as there's a risk for corruption in an active participant (yes, you can work to minimize that risk, but you get my point)). Now the form we see IDS in will likely change (i.e. not standalone boxes, but, perhaps, integrated into the port level of the network or an independent security level in the OS kernel or something) but Intrusion Detection Systems in the purest sense of the term will always need to exist. However, there's no getting around the fact that if you don't tune them to your environment you're going to start ignoring them in about 2 days. My 2 cents, Scott A. Wozny -----Original Message----- From: Jason [mailto:security () brvenik com] Sent: Wednesday, May 12, 2004 9:44 AM To: Dennis Cox Cc: Ravishankar Ithal; Rob Shein; Bhargav Bhikkaji; focus-ids () securityfocus com Subject: Re: amount of alarms generated by IDS Thank you for the examples Dennis, I am still not convinced that an IPS provided value otherwise not available. My comments are inline. Dennis Cox wrote:
Jason, I had to take you up on your offer. Here's a recent example we heard
back from a customer. A large cable company that provides Broadband Internet access uses software to monitor and provide troubleshooting support for subscribers. When their DNS server changed the software caused a terrible traffic problem with a large number of DNS requests. Using
our
IPS they were able to do two things: One Traffic Thresholds gave them
the ability to detect and act on by blocking or rate shaping (administrators choice) the abnormal traffic. The threshold detected a
large amount of DNS traffic of a certain type and limited DNS traffic
of this type to a preset amount (10 percent of total bandwidth - it
was
eating up over 70 percent). They were able to write a filter for this
traffic and install it in the IPS' to remove the traffic in the end. A
good example of zero day protection.
This is also a great example of how a good firewall / proxy solution would have been appropriate had it been deployed properly, using a good firewall the DNS traffic would have been rate limited already by policy. The firewall/proxy also would have normalized this DNS traffic or denied it based on spec, it could have also acted as a DNS cache server reducing total load on the actual DNS server and balancing it appropriately. I fail to see how an attack was blocked and how the IPS provided value over existing firewall technology.
Another example of how an IPS can protect you is by bad network equipment. A Sun Server had a bad ethernet cable that was creating malformed packets that would knock out the ********** firewall. It basically created an ISIC attack in it's own way. An IPS was installed
and the firewall was fine. The customer however noted that he was
still
dropping lots of traffic. Sure enough the IPS was dropped the invalid
ethernet frames and notifying them. He investigated - replaced the ethernet cable and problem solved.
I am shocked ;-) Was the firewall and host OS fully patched? This happens all of the time. A good firewall properly configured would have survived an ISIC test [1] ( that is what it was initially designed for IIRC ) and not had a failure requiring the IPS. In addition, a good network management infrastructure would have alerted the administrator to a high number of errors on the switch and router interfaces providing a much faster time to resolution. I still do not see how the IPS added value over a good firewall / proxy deployment and solid patch management.
So in both these cases an IPS was able to detect "wacky" network conditions and protect the network (or help diagnose - depends on your
point of view). Your statement regarding patching is true - it's a really good idea. However, what do you do when a patch comes out and you need to install it on 30,000 machines before the attack comes out
(sometimes the next day)? Or if your a University - how do you patch machines that aren't yours?
Unfortunately the inline device can only help at the border and a good firewall will already do that, name a single worm of late that would have made it past a properly deployed and configured firewall / proxy combination that could not have been mitigated trivially at the same point in the network. I still maintain my statement from the last mail. "short of nuisance control and containment of segmented networks it has little value over the same resources applied to reducing overall risk. Every place you would deploy an IPS is a perfect place for a good firewall. $ for $ yen for yen proactive security and patch management will get much more bang for the buck." This topic historically goes on and on without end, I would like to stay on topic and in the context of the stated value of IPS and that is blocking attacks. Anything else simply validates that an IPS is nothing more than a firewall with different messaging as is the case with this example. To that end I am still looking for examples of any case where an inline IPS blocked an attack that would not have been blocked or mitigated otherwise by a good firewall solution and patching or mitigating a known vulnerability. [1] - http://www.packetfactory.net/Projects/ISIC/ ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: amount of alarms generated by IDS, (continued)
- RE: amount of alarms generated by IDS Ravishankar Ithal (May 12)
- RE: amount of alarms generated by IDS Rob Shein (May 11)
- Re: amount of alarms generated by IDS Jason (May 11)
- Re: amount of alarms generated by IDS Dennis Cox (May 11)
- Re: amount of alarms generated by IDS Jason (May 13)
- RE: amount of alarms generated by IDS Frank Knobbe (May 11)
- Hi, I want to study IPS cto (May 11)
- RE: Hi, I want to study IPS Shawn (May 13)
- Re: amount of alarms generated by IDS nick black (May 14)
- Re: amount of alarms generated by IDS Stefano Zanero (May 22)
- Re: amount of alarms generated by IDS nick black (May 25)