IDS mailing list archives
RE: IDS alerts / second - Correlation - Virtualization
From: "Nathan Davidson" <ndavidso () globix com>
Date: Tue, 26 Jul 2005 05:12:47 -0400
David Swift said: "By nature, any IPS has to do IDS first. You have to detect before you can block. Therefore the number of IDS events will dramatically exceed the number of IPS events. IPS will always be a subset of IDS." David, I am sorry to be terse with you, but I have never heard such a non-cohesive argument. If you take a proper IPS, and by that I don't mean an IDS that has been re-jigged into an IPS for marketure purposes; it should perform SYN-cookies or SYN-proxying, followed by Layer 2 checks, followed by a firewall policy, followed by rate limiting and Layer 4 checks before it bothers to do anything at Layer 7. As we all know Layer 7 is computationally expensive so a well designed IPS will always reduce the amount of traffic at Layer 2-4 prior to applying IDS signatures. "Also, please note than many vendors (iPolicy included), are using correlation tools to tune the system to the deployed network. ... Then the data is fed back into the IPS engine and Firewall to intelligently turn on signatures to block events that the protected network is vulnerable to, firewall unwanted ports, and ideally to turn off alerting for events the protected network is not vulnerable to." This is IMHO very risky, you are presuming that your scanner has picked up all the apps/vulnerabilities that exist in your network and knows their relationship to any assigned policy items. Why not just block all access known to be malicious or pointless? That would be an in-line blocking IPS (or if you like, a firewall that has such features). -----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] Sent: Friday, July 22, 2005 4:39 PM To: Nathan Davidson Cc: focus-ids () securityfocus com Subject: RE: IDS evaluations procedures On Sat, 2005-07-16 at 12:42 -0400, Nathan Davidson wrote:
To make things easier to compare let us say that the IPS and IDS have the SAME signatures/policy and they both identify all of the malicious traffic: The IPS will create 10 alerts/sec The IDS will create 100 alerts/sec
Uhm... then the IDS is not configured properly. IPSes seem to filter proactively, that means based on assumptions. It assumes that your server is vulnerable against xyz and blocks it. But the server doesn't have to be vulnerable. You can deploy an IDS as an ADS, that is, Attack Detection System. As such it would alert on every xyz packet that look suspicious and which the IDS thinks may cause harm to your server. But you can also deploy an IDS as an ...well... Intrusion Detection System. Configured like that, it doesn't make assumptions and doesn't care if it sees xyz hitting the server. It cares what the server responds with to xyz. If it detects an abnormal response, or outright hostile traffic (i.e. signature of a botnet c&c channel join), then it issues an alert, and only then. Given that, the math is as follows: ADS: 100 alerts /sec IPS: 10 alerts /sec IDS: 1 alert /incident I think the IDS has a much higher security ROI (oops, I said the evil word) than an IPS. The IPS is a broad-sword. The IDS, properly deploy and managed, is a sensitive detector, not a noisy alarm bell. It doesn't alert on every thrust of a sword, it only alerts when you bleed. Regards, Frank PS: I sometimes wonder if the I-have-more-alerts-than-you-stick-waving in the IDS market contributed to the misuse of IDS systems.... ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS alerts / second - Correlation - Virtualization Swift, David (Jul 25)
- RE: IDS alerts / second - Correlation - Virtualization Frank Knobbe (Jul 25)
- Re: IDS alerts / second - Correlation - Virtualization william taft (Jul 26)
- Re: IDS alerts / second - Correlation - Virtualization Ron Gula (Jul 27)
- Re: IDS alerts / second - Correlation - Virtualization william taft (Jul 26)
- <Possible follow-ups>
- RE: IDS alerts / second - Correlation - Virtualization Palmer, Paul (ISSAtlanta) (Jul 26)
- RE: IDS alerts / second - Correlation - Virtualization Nathan Davidson (Jul 26)
- RE: IDS alerts / second - Correlation - Virtualization Swift, David (Jul 27)
- Re: IDS alerts / second - Correlation - Virtualization william taft (Jul 29)
- Message not available
- RE: IDS alerts / second - Correlation - Virtualization Sanjay Rawat (Jul 29)
- RE: IDS alerts / second - Correlation - Virtualization Frank Knobbe (Jul 25)
- RE: IDS alerts / second - Correlation - Virtualization Biswas, Proneet (Jul 27)