IDS mailing list archives
RE: IPS, alternative solutions
From: "Stuart Staniford" <stuart () nevisnetworks com>
Date: Wed, 29 Sep 2004 15:42:33 -0700
Jason wrote:
It is unfortunate that none of the potential advancements you are referring to are commercially viable today. Should one go looking at the inline technology available which implements some form of non signature based detection they would find a product set that barely achieves accurate rate based detection and is still only relative to a single sensing point.
I don't believe this. For a company that has a current product specifically focused on worm containment that seems to understand the issues reasonably well, look at ForeScout http://www.forescout.com However, I believe it's quite possible to use broader-featured IPS's in a similar mode, if not with quite the same slickness and sensitivity. Anything that can identify and block a portscan can be used to contain scanning worms. An IPS that cannot block a portscan after the first 10-20 scans is not worth the name, but I'm sure most of the major commercial players can do that. After that, containing current generation zero-day worms means understanding that the network must be broken up into zones separated by IPS's, that it works outbound not inbound (ie you have to contain the worm to the zone where it got started, not try to prevent it getting into some zone (which is much harder), and that your ultimate protection is limited by the sensitivity of the IPS (how many scans it lets by before it blocks), and the vulnerability density on the network. If 50% of the addresses in your class B have the same codebase on the same service turned on, and they are all mutually visible, no IPS can save you from a zero-day scanning worm. But there's no reason your internal firewalls have to be *that* loose. Not to say this is the end of the story -- the worms will evolve sneakier spread strategies -- but it's perfectly possible to contain current worm spread algorithms with currently available technology, even if the underlying vulnerability is completely unknown at the time of worm release. Stuart. -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: IPS, alternative solutions Stuart Staniford (Sep 30)
- <Possible follow-ups>
- Re: IPS, alternative solutions Justin . Ross (Sep 30)