IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IPS, alternative solutions

From: "Stuart Staniford" <stuart () nevisnetworks com>
Date: Wed, 29 Sep 2004 15:42:33 -0700

Jason wrote:


It is unfortunate that none of the potential advancements you are 
referring to are commercially viable today. Should one go 
looking at the 
inline technology available which implements some form of non 
signature 
based detection they would find a product set that barely achieves 
accurate rate based detection and is still only relative to a single 
sensing point. 


I don't believe this.  For a company that has a current product specifically
focused on worm containment that seems to understand the issues reasonably
well, look at ForeScout

http://www.forescout.com

However, I believe it's quite possible to use broader-featured IPS's in a
similar mode, if not with quite the same slickness and sensitivity.
Anything that can identify and block a portscan can be used to contain
scanning worms.  An IPS that cannot block a portscan after the first 10-20
scans is not worth the name, but I'm sure most of the major commercial
players can do that.  After that, containing current generation zero-day
worms means understanding that the network must be broken up into zones
separated by IPS's, that it works outbound not inbound (ie you have to
contain the worm to the zone where it got started, not try to prevent it
getting into some zone (which is much harder), and that your ultimate
protection is limited by the sensitivity of the IPS (how many scans it lets
by before it blocks), and the vulnerability density on the network.  If 50%
of the addresses in your class B have the same codebase on the same service
turned on, and they are all mutually visible, no IPS can save you from a
zero-day scanning worm.  But there's no reason your internal firewalls have
to be *that* loose.

Not to say this is the end of the story -- the worms will evolve sneakier
spread strategies -- but it's perfectly possible to contain current worm
spread algorithms with currently available technology, even if the
underlying vulnerability is completely unknown at the time of worm release.

Stuart.


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: