RE: amount of alarms generated by IDS

["Wozny, Scott (US - New York)" <swozny () deloitte com>]

My 2 cents is that "IPS" is an interim product set we won't be seeing in
a couple of years.  Inline IDS exists, it's just what you call your IPS
when you don't configure it to drop anything and just log events.  :)
While the anomaly component of IDS is an interesting I don't know any
network managers that would be willing to start dropping packets just
because the pattern of their traffic is different today compared to what
it was yesterday.  So some of the IPS signatures are no losers as long
as they're dropping TCP packets that can't have their SIP spoofed.  So
what, exactly, does all this buy the enterprise that a true Layer-7
firewall can't provide?  I can't think of anything off the top of my
head.  It didn't happen before because non-ASIC based hardware could
just barely keep up with L2-4 filtering while maintaining state
awareness.  The silicon is getting better and faster and able to look
deeper into the packet so that time will come soon.  The question is
will the IPS vendors usurp the firewall vendors or will the firewall
vendors start building the right boxes and drive the IPS vendors out of
business.  I'm not a betting man.

IDS will eventually return to being an advanced logging and correlation
tool.  Successful security systems don't work unless they have both
detective and preventative measures.  Those detective measures work best
when they're not part of the data path (i.e. IDS logs (when tuned) are
more effective for enhancing security than firewall logs on a device
that's in the data path as there's a risk for corruption in an active
participant (yes, you can work to minimize that risk, but you get my
point)).  Now the form we see IDS in will likely change (i.e. not
standalone boxes, but, perhaps, integrated into the port level of the
network or an independent security level in the OS kernel or something)
but Intrusion Detection Systems in the purest sense of the term will
always need to exist.  However, there's no getting around the fact that
if you don't tune them to your environment you're going to start
ignoring them in about 2 days.

My 2 cents,

Scott A. Wozny

-----Original Message-----
From: Jason [mailto:security () brvenik com] 
Sent: Wednesday, May 12, 2004 9:44 AM
To: Dennis Cox
Cc: Ravishankar Ithal; Rob Shein; Bhargav Bhikkaji;
focus-ids () securityfocus com
Subject: Re: amount of alarms generated by IDS


Thank you for the examples Dennis, I am still not convinced that an IPS 
provided value otherwise not available. My comments are inline.

Dennis Cox wrote:
> Jason,
>
>  I had to take you up on your offer. Here's a recent example we heard

> back from a customer.
>
> A large cable company that provides Broadband Internet access uses  
> software to monitor and provide troubleshooting support for  
> subscribers. When their DNS server changed the software caused a  
> terrible traffic problem with a large number of DNS requests. Using
our  
> IPS they were able to do two things: One Traffic Thresholds gave them

> the ability to detect and act on by blocking or rate shaping  
> (administrators choice) the abnormal traffic. The threshold detected a

> large amount of DNS traffic of a certain type and limited DNS traffic

> of this type to a preset amount (10 percent of total bandwidth - it
was  
> eating up over 70 percent). They were able to write a filter for this

> traffic and install it in the IPS' to remove the traffic in the end. A

> good example of zero day protection.

This is also a great example of how a good firewall / proxy solution 
would have been appropriate had it been deployed properly, using a good 
firewall the DNS traffic would have been rate limited already by policy.

The firewall/proxy also would have normalized this DNS traffic or denied

it based on spec, it could have also acted as a DNS cache server 
reducing total load on the actual DNS server and balancing it 
appropriately. I fail to see how an attack was blocked and how the IPS 
provided value over existing firewall technology.

> Another example of how an IPS can protect you is by bad network  
> equipment. A Sun Server had a bad ethernet cable that was creating  
> malformed packets that would knock out the ********** firewall. It  
> basically created an ISIC attack in it's own way. An IPS was installed

> and the firewall was fine. The customer however noted that he was
still  
> dropping lots of traffic. Sure enough the IPS was dropped the invalid

> ethernet frames and notifying them. He investigated - replaced the  
> ethernet cable and problem solved.

I am shocked ;-) Was the firewall and host OS fully patched?

This happens all of the time. A good firewall properly configured would 
have survived an ISIC test [1] ( that is what it was initially designed 
for IIRC ) and not had a failure requiring the IPS. In addition, a good 
network management infrastructure would have alerted the administrator 
to a high number of errors on the switch and router interfaces providing

a much faster time to resolution. I still do not see how the IPS added 
value over a good firewall / proxy deployment and solid patch
management.

> So in both these cases an IPS was able to detect "wacky" network  
> conditions and protect the network (or help diagnose - depends on your

> point of view). Your statement regarding patching is true - it's a  
> really good idea. However, what do you do when a patch comes out and  
> you need to install it on 30,000 machines before the attack comes out

> (sometimes the next day)? Or if your a University - how do you patch  
> machines that aren't yours?

Unfortunately the inline device can only help at the border and a good 
firewall will already do that, name a single worm of late that would 
have made it past a properly deployed and configured firewall / proxy 
combination that could not have been mitigated trivially at the same 
point in the network. I still maintain my statement from the last mail.

"short of nuisance control and containment of segmented networks it has 
little value over the same resources applied to reducing overall risk. 
Every place you would deploy an IPS is a perfect place for a good 
firewall. $ for $ yen for yen proactive security and patch management 
will get much more bang for the buck."

This topic historically goes on and on without end, I would like to stay

on topic and in the context of the stated value of IPS and that is 
blocking attacks. Anything else simply validates that an IPS is nothing 
more than a firewall with different messaging as is the case with this 
example.

To that end I am still looking for examples of any case where an inline 
IPS blocked an attack that would not have been blocked or mitigated 
otherwise by a good firewall solution and patching or mitigating a known

vulnerability.


[1] - http://www.packetfactory.net/Projects/ISIC/


------------------------------------------------------------------------
---

------------------------------------------------------------------------
---




This message (including any attachments) contains confidential information intended for a specific individual and 
purpose, and is protected by law.  If you are not the intended recipient, you should delete this message.  Any 
disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.

---------------------------------------------------------------------------

---------------------------------------------------------------------------