IDS mailing list archives
RE: Hi, I want to study IPS
From: Omar Herrera <oherrera () prodigy net mx>
Date: Sat, 15 May 2004 01:43:53 -0600
>IDS and IPS are using the same tools and same abilities. They are >actually the same. IPS came out as a "catch phrase" as a "different" >solution than IDS. Please refer to the recent posting from "Frank >Knobbe" and "Jason" as a reference. Don't get fooled in terminology >and remember there is no "one" solution. Many of us use 4 or 5 types >of systems to pull everything together into an IDS solution. Best of >luck with your task. HAGO. > Wil, you are right that some IPS products use similar techniques as
IDS
(inline packet filtering with patterns) but not all of them use that technique. Some vendors use a baseline of the network and take
action if
the baseline changes drasticly. Some use a 'negative space'
technique
which allows only valid traffic and considers all other traffic as a
dos
and drops it completely.
I think that Wil's point was that there are no new/different technologies in attack detection (I completely agree with this point). The same detection technologies used by IDS can be used by an IPS and vice versa (you can also use baselines and so on with IDS). Due to the fact that each one can use the same detection technologies available to the other, their detection capabilities remain the same. The problem since the infamous Gartner Report is that marketing people of several companies stated that IPS have "better detection" capabilities, and so have less false positives, which is not true. The difference (in essence) is just whether to let it block automatically or not. It would be much easier if we would distinguish essential functional parts of security controls and describe each product as a combination of such parts: * This box detects attacks at application level, has filtering capabilities and an inline architecture. * This software uses positive logic to detect unwanted communications and malware at application level, but does not filter; it is passive in nature * This other software detects attacks at the network level, works in tap mode but it is able to tear apart connections identified as attacks in a reactive fashion. ... Unfortunately, it is easier to call these things by a name and so anyone could say that this is a new product with new, never seen before, technology. So we will end with Antivirus with anti-spam capabilities called something like malware prevention systems. Someone else would add virus detection to antispam software, call it unsolicited data prevention systems and both guys will affirm that each product is something new that will work better than their ancestors. Security controls consist of the same modules: a) some kind of "sensors" to get data from the environment b) a "rule base" that tells the control how to treat data acquired by sensors (what gets accepted or rejected) c) an "action" modules capable of (you guessed, what else...) taking actions based on rule (how to accept/reject) If you tear apart any passive IDS and any IPS, taking into account the above model, you will see that a) and b) are essentially interchangeable between them, but c) is not. In the end it is a terminology problem. Cheers, Omar. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- FW: Hi, I want to study IPS Tarek Amr Abdullah (May 12)
- <Possible follow-ups>
- RE: Hi, I want to study IPS Arun Vishwanathan (May 12)
- RE: Hi, I want to study IPS Arun Vishwanathan (May 12)
- RE: Hi, I want to study IPS Josh Mills (May 12)
- RE: Hi, I want to study IPS (infor) urko zurutuza (May 13)
- RE: Hi, I want to study IPS Velasquez Venegas Jaime Omar (May 13)
- Re: Hi, I want to study IPS Greg Martin (May 14)
- RE: Hi, I want to study IPS Omar Herrera (May 16)
- Re: Hi, I want to study IPS Raistlin (May 22)
- Re: Hi, I want to study IPS Greg Martin (May 25)
- Re: Hi, I want to study IPS Stefano Zanero (May 25)
- RE: Hi, I want to study IPS Ingevaldson, Dan (ISS Atlanta) (May 14)
- RE: Hi, I want to study IPS Runion Mark A FGA DOIM WEBMASTER(ctr) (May 25)
- Re: Hi, I want to study IPS Ali Rajput (May 26)
- Testing IDS/IPS Signatures Securecatalyst (May 28)
- Re: Testing IDS/IPS Signatures Andrea Barisani (May 28)
- Re: Testing IDS/IPS Signatures Ron Gula (May 28)
- Re: Testing IDS/IPS Signatures ravivsn (May 31)
- Re: Hi, I want to study IPS Ali Rajput (May 26)