RE: Wishlist for IPS Products

["Paine, Steve" <Steve.Paine () ish com>]

Having been through the IPS purchasing cycle, I can input my thoughts.
(personal of course)

I think the next big step in IPS will be packet correction/content
correction.
Currently most IPS's are packet-based filters passing or dropping packets
only.

So my wish for next-gen IPS is:
We need to be able to cover content checking for non-time critical flows.
Email, HTTP. 
This will allow to check 
- cross-site scripting issues. 
- gzip encoded content checking for html, mime etc. (requires full-stream
buffering!)
- email viruses/spam signature check

For the future:

IN effect, the ultimate consumer product would be a combination of all
in-line device activities into one unit. However, I cant see these market
segments converging very quickly as there's too many people making too much
money out of dedicated devices.

My ideal in-line policer would have:
Basic port-based stateful firewall
Intrusion prevention by signature
Intrusion prevention by anomoly (using historical traffic profiling)
Anti-virus capabilties (offload to external content scanner?)
DOS prevention and DOS traceback assistance.
Traffic policing/shaping on protocol deep-inspection basis (not just
policing TCP port numbers - this is a requirement for the ever-moving P2P
polcing challenge)
billing/statistics output (for usage based services)
Web-site blocking
Traffic analysis, growth, projections, analysis - per protocol.
Lawful interception interfaces for ISP's.
Assymetric traffic capability.

Plus all the normal requirements for an in-line device:
Gbps throughput. 
Gigabit ports. (optical)
Minimal latency (<2ms)
Drop-in architecture (bridge mode)
High availability mode (active-standby)
Load-sharing mode (active-active)
240v or 48v operation with dual PSU.
Management lan interface (10/100)
Graphical user interface
Syslog output.
SNMP trap output.
SNMP management capability.
NTP time syncing.
19" rack mountable
Live update of ruleset and signatures. (no downtime)
Minimal downtime for OS upgrades.

Hope this helps the manufacturers. It probably helps those looking for a
device too!!

Steve.

-----Original Message-----
From: PS R [mailto:secureyourself () gmail com]
Sent: Friday, September 10, 2004 4:18 PM
To: focus-ids () securityfocus com
Subject: Wishlist for IPS Products


I have seen a lot of discussion about the differences between IDS,
IPS, and firewalls and the potential for convergence, but I do not
recall a discussion on the primary features that an IPS should have
out of the box.

I am thinking of:
- Flow Control - limitations on flooding, unused connections, etc...
- Robust, ACURATE signature base
- Packet capture - no debate on how much before, as that has been covered
- Pre-deployment network analysis tools to accelerate deployment
- Anomaly detection
- Alert export compatibility with 3rd party event management solutions

It seems like discussions of this type can only serve to improve the
products on the market (or coming to the market), since we know at
least some of the vendors are monitoring this list.

Jack

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------