Fwd: Re: Wishlist for IPS Products

["Craig M. Taylor" <ctaylor10 () yahoo com>]

Off the top of my head; please add your entries to the Top10 list below...

Top 10 IPS WishList:
====================
10) 100% filtering of known nuisance attacks (Nimda, Code Red, SQL Slammer) which
clutter my various firewall and application logs.
9)  Centralized and Simple management of multiple IPS devices each with different
configurations.
8)  Automated daily pull of signature updates (like my anti-virus product)
7)  Integration with Firewalls (Checkpoint) - why do I need another latency inducing
box in my environment?
6)  Optional anomally detection (if I want it and can trust it).  I cannot tolerate
false negatives.
5)  Simplified yet extensive reporting and trending analysis in various output
formats, CSV, HTML, XML, Crystal Reports.
4)  The ability to integrate with central correlation database products such as
eSecurity's eSentinel product (and others).
3)  Clarity on Zero-day protection vs. marketing HYPE - what forms of attack would
be caught in what configurations.
2)  Lower cost of ownership - set and forget vs. 7x24x365 monitoring by human beings
will change the price/performance equation enormously (if I didn't have to pay
> $2000/mth for monitoring each IDS - I could easily justify spending $10k on a
device that worked but didn't require 24x7x365 monitoring, care, and feeding.  See
#8 above on automatic signature updates.
1)  Longer development cycles with more robust product.  My IDS vendor upgrades
major release versions yearly - which forces major labor crunches constantly going
from v3 to 3.1, 3.2, 4.0, 4.1  - slow the cycle down, lower my TCO, and increase my
ROI.

my 2 cents...

Craig

--- PS R <secureyourself () gmail com> wrote:

> Date: Thu, 23 Sep 2004 10:36:27 -0400
> From: PS R <secureyourself () gmail com>
> To: focus-ids () securityfocus com
> Subject: Re: Wishlist for IPS Products
>
> We have gotten off topic, but to complete the thought:
> Is it fair to assume by your last comments about working for ISS and
> panning Tipping Point that ISS' Proventia appliance would detect the
> scenario you outlined below?  If so, is it blocked out of the box? 
> Can someone on the list test this with a Proventia box?
>
> Back on topic (and soapbox)
> Is there nothing else that the IPS/IDS user community wants from
> future IPS appliances?  I see this as an opportunity to really outline
> the roadmap that vendors should be taking.  It is the lack of good
> input on forums like this that results in developers who aren't
> security savvy creating products that aren't what the public wants.
>
> Jack
>
>
> On Tue, 21 Sep 2004 15:31:52 -0400, David Maynor <dmaynor () gmail com> wrote:
> > I work for ISS btw.
> >
> >
> >
> >
> > On Mon, 20 Sep 2004 18:49:25 -0400, David Maynor <dmaynor () gmail com> wrote:
> > > No guess. It's a simple recipe. Take one Tipping Point box, one
> > > machine that is vulnerable to MS03-026, and a bit on coding knowledge
> > > of rpc. I chose 03-026 because due to Blaster it should at be the one
> > > exploit it could block. You then manually generate the bind request
> > > carefully making sure the RPC frag size is so small that the target
> > > guid is in two different packets. Something funny happens. You would
> > > get system access and the Tipping Point box does nothing. Nada. Zip.
> > > Zilch. While you are issuing commands like 'net user /add hacker' the
> > > Tipping Point box stays silent. I scratched my head over this till I
> > > realized that it happens because TippingPoint doesn't do protocol
> > > parsing, it's the only explanation. Hardly the behavior for an award
> > > winning IPS that writes its sigs for the vulnrebility and not the
> > > exploit….supposedly.
> > >
> > >
> > >
> > >
> > > On Thu, 16 Sep 2004 23:30:30 -0400, Tony Carter <tcarter () entrusion com> wrote:
> > > > David,
> > > > Can you back your claim that IPS can easily be evaded by fragging
> > > > packets? Have you actually tested this or is it your guess?
> > > >
> > > > -Tony
> > > >
> > > >
> > > >
> > > >
> > > > On Sep 12, 2004, at 12:29 AM, David Maynor wrote:
> > > >
> > > > > Yeah....I am gonna go ahead and disagree with you on some of these.
> > > > >
> > > > > > I have seen a lot of discussion about the differences between IDS,
> > > > > > IPS, and firewalls and the potential for convergence, but I do not
> > > > > > recall a discussion on the primary features that an IPS should have
> > > > > > out of the box.
> > > > > >
> > > > > > I am thinking of:
> > > > > > - Flow Control - limitations on flooding, unused connections, etc...
> > > > >
> > > > > Most of this should be handled by the signature base.
> > > > >
> > > > > > - Robust, ACURATE signature base
> > > > >
> > > > > Only way to do this and not create tons of false postives is true
> > > > > protocol parsing. This knocks out most IPS vendors like Tipping Point.
> > > > >
> > > > > > - Packet capture - no debate on how much before, as that has been
> > > > > > covered
> > > > > > - Pre-deployment network analysis tools to accelerate deployment
> > > > > > - Anomaly detection
> > > > >
> > > > > Why? I have yet to see a system that is more than a parlor trick.
> > > > > Anomaly based system are even easier to evade than sig based systems
> > > > > that don't do protocol parsing.
> > > > >
> > > > > What I would add is better tools for testing. Almost nobody grabs a
> > > > > copy of Canvas from Immunity or Impact from Core and actually checks
> > > > > what attacks are caught. Further more an even fewer number use modded
> > > > > copies of public exploits to see if the claims made by vendors are
> > > > > actually true. How many vendor's IPS implementation would actual catch
> > > > > a MS03-026 exploit if you frag at the RPC layer at a size like 8
> > > > > bytes?
> > > > >
> > > > > -----------------------------------------------------------------------
> > > > > ---
> > > > > Test Your IDS
> > > > >
> > > > > Is your IDS deployed correctly?
> > > > > Find out quickly and easily by testing it with real-world attacks from
> > > > > CORE IMPACT.
> > > > > Go to
> > > > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
> > > > > learn more.
> > > > > -----------------------------------------------------------------------
> > > > > ---
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from CORE
> IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn
> more.
> --------------------------------------------------------------------------


=====
Craig Taylor  -- Infosec, CISSP
*********************************************************
** "Problems can not be fixed with the same level of   **
** awareness that created them." - Albert Einstein -   **
*********************************************************

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------