RE: Hi, I want to study IPS

[Omar Herrera <oherrera () prodigy net mx>]

>  >IDS and IPS are using the same tools and same abilities. They are
>  >actually the same. IPS came out as a "catch phrase" as a "different"
>  >solution than IDS. Please refer to the recent posting from "Frank
>  >Knobbe" and "Jason" as a reference. Don't get fooled in terminology
>  >and remember there is no "one" solution. Many of us use 4 or 5 types
>  >of systems to pull everything together into an IDS solution. Best of
>  >luck with your task. HAGO.
>  >
>  Wil, you are right that some IPS products use similar techniques as
IDS
>  (inline packet filtering with patterns) but not all of them use that
>  technique.  Some vendors use a baseline of the network and take
action if
>  the baseline changes drasticly.  Some use a 'negative space'
technique
>  which allows only valid traffic and considers all other traffic as a
dos
>  and drops it completely. 

I think that Wil's point was that there are no new/different
technologies in attack detection (I completely agree with this point).
The same detection technologies used by IDS can be used by an IPS and
vice versa (you can also use baselines and so on with IDS). Due to the
fact that each one can use the same detection technologies available to
the other, their detection capabilities remain the same.

The problem since the infamous Gartner Report is that marketing people
of several companies stated that IPS have "better detection"
capabilities, and so have less false positives, which is not true. The
difference (in essence) is just whether to let it block automatically or
not.

It would be much easier if we would distinguish essential functional
parts of security controls and describe each product as a combination of
such parts: 
* This box detects attacks at application level, has filtering
capabilities and an inline architecture.
* This software uses positive logic to detect unwanted communications
and malware at application level, but does not filter; it is passive in
nature
* This other software detects attacks at the network level, works in tap
mode but it is able to tear apart connections identified as attacks in a
reactive fashion.
...

Unfortunately, it is easier to call these things by a name and so anyone
could say that this is a new product with new, never seen before,
technology. So we will end with Antivirus with anti-spam capabilities
called something like malware prevention systems. Someone else would add
virus detection to antispam software, call it unsolicited data
prevention systems and both guys will affirm that each product is
something new that will work better than their ancestors.

Security controls consist of the same modules:
a) some kind of "sensors" to get data from the environment
b) a "rule base" that tells the control how to treat data acquired by
sensors (what gets accepted or rejected)
c) an "action" modules capable of (you guessed, what else...) taking
actions based on rule (how to accept/reject)

If you tear apart any passive IDS and any IPS, taking into account the
above model, you will see that a) and b) are essentially interchangeable
between them, but c) is not.

In the end it is a terminology problem.

Cheers,

Omar.



---------------------------------------------------------------------------

---------------------------------------------------------------------------