RE: need your help about IPS and IDS,thanks

["Eric McCarty" <eric () piteduncan com>]

I don't think there could be a better breakdown between the two
technologies. Great work Chris, the papers on your website were
definitely informative and worth reading for anyone looking for more
information than what was already discussed.



Eric 

-----Original Message-----
From: Chris Petersen [mailto:chris.petersen () security-conscious com] 
Sent: Thursday, November 18, 2004 8:38 AM
To: 'Lily'; Eric McCarty
Cc: focus-ids () securityfocus com
Subject: RE: need your help about IPS and IDS,thanks

Lily, I think of IPS as IDS with the ability to take action.  Both IPS
and IDS have techniques for detecting malicious activity and most
commercial products use a combination:

Network I(P/D)S
- Packet signature analysis
- Protocol analysis
- Session analysis

Host I(P/D)S
- System call analysis
- Binary behavior analysis (e.g., is IIS.exe accessing an unauthorized
file/directory)
- Automated Log analysis
- File integrity monitoring

Regardless of whether the product is an IPS or IDS, it is going to
detect malicious activity via one or more of the aformentioned
techniques.  The difference with IPS is that once malicious activity is
detected, the IPS has the ability to take action where this action might
be:

Network IPS
- Terminate IP connection (if sitting in-line)
- Send TCP Reset (if killing TCP session and not sitting in-line)
- Send ICMP unreachable (if killing UDP session and not sitting
in-line)(if my memory serves)

Host IPS
- Block system call
- Block access
- Terminate Process

What one has to weigh are the pro's/con's of each.  As Eric mentioned in
his post, if you kill a session, you can't continue to collect data on
that session, however, the session is killed so if it was actually an
attack you are probably better off.  In talking to users of IPS, they
typically use the product as an IDS first (just detect stuff) and then
begin to turn on IPS actions as they determine the reliability of its
detection capabilities.  

Personally, I see value in both.  Use an IPS to prevent what can
reliably be prevented, use an IDS (or the IPS in IDS-only mode) to
detect the more difficult to prevent attacks and collect additional
forensic data.  Now what you with all that data is another question (and
why I built LogRhythm ;-).

There are a couple of papers I wrote that might be of help, one is an
intro to IDS and the detection techniques referred to above, the other
is a brief statement on IPS.  You can find them on the literature page
at www.logrhythm.com.

Cheers and good luck,

Chris Petersen
CTO, Security Conscious, Inc.

-----Original Message-----
From: Lily [mailto:xiaoche111 () hotmail com]
Sent: Wednesday, November 17, 2004 2:39 AM
To: Eric McCarty
Cc: focus-ids () securityfocus com
Subject: Re: need your help about IPS and IDS,thanks


Thanks for your reply.But I still some question about it:
1.I see 'HIPS creates a baseline of normal activity' and 'NIPS to
perform pattern-matching between what is known as an attack and the
traffic that is traversing the network' in the Web of Vigilar. If the
meaning of these two sentences is HIPS can only build the normal model
to detect while NIPS can use the pattern matching as the IDS? 2. If the
'IPS just knows its an attack which needs to be
blocked/dropped/reset',what's the meaning of log the traffic?I think the
logs is no meaning because of the integrity.These type logs can not
distinguish any known attack. 
3.I am puzzling what technology is used of IDS by IPS?
----- Original Message ----- 
From: "Eric McCarty" <eric () piteduncan com>
To: "Lily" <xiaoche111 () hotmail com>; <focus-ids () securityfocus com>
Sent: Wednesday, November 17, 2004 1:00 AM
Subject: RE: need your help about IPS and IDS,thanks


Responses Inline :

1.IPS must build normal model while IDS can use the abnormal
model(misuse detection)?If it is what's the difference between the IDS's
anomaly detection and IPS?

IDS can watch the whole session and figure out whats just happened. IPS
must know long before the session is finished in order to Prevent
anything from happening. 

4.Why someone said IPS can not log the trace of the attacks while IDS
can do?I think IPS can do it easily.Maybe because IPS is in-line and log
the trace needing many time?

The IPS would see the same packets any IDS would, the difference is that
once the IPS figured out the traffic is malicious it takes action. Thus
the IPS log would be up to the point of action being taken, so an IDS
may see the entire flow of traffic and more acurately match the traffic
to a signature of a known attack while the IPS just knows its an attack
which needs to be blocked/dropped/rset. 

So depressed with the IDS/IPS and my thesis is flying in the sky:( Thank
you in advance.

I had this great apricot beer the other day, I highly recommend it. 



Lily

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------