IDS mailing list archives
Re: Wishlist for IPS Products
From: "Srinivasa Rao Addepalli" <srao () intoto com>
Date: Sun, 12 Sep 2004 12:14:41 -0700
Most of the fetaures are common across IDS, Inline-IDS and Inline-IPS. For example, signature have to be robust and accurate in all three cases. But, one should be very careful in blocking the traffic. Unless, if it is known that signature does not have any false positive, it is not good to block thetraffic based on pattern detection. IPS products give provision for block on per signature rule basis, but that needs to be set carefully. IPS
does not mean that, it implictely blocks the traffic upon detection. What one should look for is, application decoding capability, to reduceflase positives. This will give confidence to block the traffic based on patterns.
I feel that, Inline (IDS or IPS) products give quite a bit of advantage in rate-limiting the traffic. Upon traffic anomaly, Inline products have better
control on successfully reducing the traffic and due to that genuine traffic can be passed, even where there is flood of sessions/traffic. For example, IPS products can classifiy the traffic to different protocols/ applications (such as P2P Kazaa, eDonkey, BitTorrent, AOL IM, MSN IM, YAHOO IM and all othe standard protocols) based on ports and/or signatures and one can apply limit the traffic or sessions for given applications. One might say, it is firewall feature, but agian IPS products can also do this, due to their inline capability. In future, I see these both technologies merging anyway...Inline products, in my view should also work transparently. It should not appear as a router in the network, rather it should appear as a bridge/switch in
the network. Network administrators should not change their IP addressing range. It should be plug and play. One should look for this capability in Inline IPS products. Ofcourse, there can be some deployment where this appearing as router are needed. One should look for IPS products which has both the capabilities. Session data logging (as discussed in mailing list) is also quite imporatant for analysis. One technique which we follow is to remove the any logged data (at the end of session), if there is no exploit found during the data transfer. Even this, can generate significant amount of data and we provide different control on amount of data it can log on per session and the type of sessions for which data to be logged (on 5 tuple basis) etc.. I also feel that one should look for flexibility in the Management/Administration in IPS products. Some of these features are actually common whether it is IDS or IPS. - Does it give flexibility to create own rules/signatures? In good number of times, the general signature provided may not good enough based on their deployment environment. Some times, the administrator might would like to change the signature rule itself. One should look for this kind of capabilities.- Does it give complete view of traffic flowing through the IPS? If IPS is placed in edge of a network, Administrator should be able to look at the traffic patterns.
- In IPS, inbound and outbound traffic characterstics can be different and look for IPS which provide differnet signature rule bases for inbound and outbound. If IPS is used in many networks scenario (Virtualization), then ensure that IPS provided Virtualization. - Look for IDS/IPS, which can detect (or provide configuration) standard applications running on non-standard ports and then applying application specific signatures on traffic on non-standard ports. Srini Intoto Inc. www.intoto.com----- Original Message ----- From: "PS R" <secureyourself () gmail com>
To: <focus-ids () securityfocus com> Sent: Friday, September 10, 2004 7:18 AM Subject: Wishlist for IPS Products
I have seen a lot of discussion about the differences between IDS, IPS, and firewalls and the potential for convergence, but I do not recall a discussion on the primary features that an IPS should have out of the box. I am thinking of: - Flow Control - limitations on flooding, unused connections, etc... - Robust, ACURATE signature base - Packet capture - no debate on how much before, as that has been covered - Pre-deployment network analysis tools to accelerate deployment - Anomaly detection - Alert export compatibility with 3rd party event management solutions It seems like discussions of this type can only serve to improve the products on the market (or coming to the market), since we know at least some of the vendors are monitoring this list. Jack -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Wishlist for IPS Products PS R (Sep 11)
- Re: Wishlist for IPS Products - HYBRID IPS Andy Cuff (Sep 14)
- Re: Wishlist for IPS Products Srinivasa Rao Addepalli (Sep 14)
- Re: Wishlist for IPS Products David Maynor (Sep 14)
- Re: Wishlist for IPS Products PS R (Sep 14)
- Re: Wishlist for IPS Products Tony Carter (Sep 17)
- Re: Wishlist for IPS Products PS R (Sep 17)
- Re: Wishlist for IPS Products David Maynor (Sep 21)
- Re: Wishlist for IPS Products David Maynor (Sep 20)
- Re: Wishlist for IPS Products David Maynor (Sep 22)
- Re: Wishlist for IPS Products PS R (Sep 24)
- Re: Wishlist for IPS Products David Maynor (Sep 20)