IDS mailing list archives

Re: IDS evaluations procedures

From: Justin.Ross () signalsolutionsinc com
Date: Fri, 15 Jul 2005 14:33:53 -0700

I too also question the "...real-world protection against zero-day 
threats" comment. I have seen very few 0 day threats that were stopped by 
an IPS when the attack was not a variant strain of a previous attack/virii 
(ie. brand new/original exploit). IPS's are also subject to false 
positives, and signature updates (outdated signatures, 
signature/engine/detection improvement, new exploit response updates) just 
like an IDS are they not?

and...

"(an IPS) also saves you having to buy lots of IDS sensors"
For full coverage would one not have to place an IPS in front of each 
segment? If I have multiple entry points into my network, would I not need 
to place an IPS on each link (just like an IDS)? 

The IPS device itself has no relevance on how many would be necessary, the 
network topology does; or are you publicly stating that if I buy an IPS 
(like Top layer) and place it on the edge of my network that it will 
replace all my internal sensors and those internal hosts will be protected 
from all attacks? If so, send me a guarantee in writing that one IPS can 
replace all IDS on all my segments and I'm sure my client will happily buy 
one.

Tim, it would be helpful if you just prefaced your replies with "Warning: 
I work for an IPS vendor; as such my response might be a 100% pure BS 
marketing statement" :)

Not a personal attack and I hate to make it seem like I dissect every word 
of your replies, it just seems like sometimes your marketing replies have 
a way of ignoring the "real-world", as you put it..

Justin Ross
MCP+I, MCSE, CCNA, CCSA, CCSE
Senior Network Security Engineer
Signal Solutions Inc.    -   http://www.signalcorp.com
Email: Justin.Ross-at-signalsolutionsinc.com






Adam Powers <apowers () lancope com> 
07/13/2005 11:00 AM

To
<THolman () toplayer com>, <David.Sames () sparta com>, 
<focus-ids () securityfocus com>
cc

Subject
Re: IDS evaluations procedures






Tim, I hate to stir up this whole can of worms (pun alert) and yes I know
this is off topic but can you please qualify this seemingly non sequitur
statement?

"All IDS devices are subject to large numbers of false positives, which is
why if you're making a new investment you should consider IPS technology, 
as
this gives you a far lower TCO and real-world protection against zero-day
threats."

How so?

I really struggle with this whole "because it's inline it must be more
accurate" thing. Sure, if I turn off a bunch of sigs on the IPS that are
less reliable, accuracy will increase. But why not do the same thing on 
the
non-inline IDS?

Is there something magical about being inline that makes the system less
prone to false positives? If so, what?

----------

David, addressing your original question... (which, incidentally, was 
about
INTERNAL attack traffic, not Internet Storm Center quality stuff that's
randomly hitting the outside of your firewall), we'll need a few extra 
data
points.

1. What are you testing for? Traffic-based anomalies? Application level 
RFC
violations and anomalies? Relational-modeling anomalies?
Behavioral-anomalies?

2. What collection mechanism is employed? NetFlow? sFlow? Ethernet Frames?
Other?

3. Are you only interested in classic "attacks" (fire up Nessus, see what
happens) or other anomalies such as malfunctioning applications,
policy-driven anomalies, etc?





On 7/13/05 3:33 AM, "THolman () toplayer com" <THolman () toplayer com> wrote:

Hi Dave,

Take a peek at the Internet Storm Centre @ SANS -

http://isc.sans.org/

Gives you a good idea about what's going on.
Which IDS devices are you looking at?  All IDS devices are subject to

large

numbers of false positives, which is why if you're making a new

investment

you should consider IPS technology, as this gives you a far lower TCO

and

real-world protection against zero-day threats.  It also saves you

having to

buy lots of IDS sensors, seeming a large proportion of the load will be
absorbed and taken care of by the IPS.
Just my 2 cents.. ;)

Cheers,

Tim

-----Original Message-----
From: Sames, David [mailto:David.Sames () sparta com]
Sent: 13 July 2005 04:54
To: THolman () toplayer com
Subject: RE: IDS evaluations procedures

Thanks for the info - those are exactly the kinds of characteristics I
need to consider - at this point, I'm not evaluating a product per se -
I'm evaluating some claims by some of our researchers :-) FP's are what
I'm most concerned about. I'll check things out to see if I can get more
stats - and of attempt to produce some data sets that may look like
"anomalies" but are really traffic spikes and shouldn't be flagged.


To specifically answer your question, look at current attack weather
reports
- you'll see approximately 15-20% of perimeter traffic is in fact worms
trying to propagate.  Any evaluation should be designed with this in
mind.
..but more importantly, make sure you're evaluating something that will
do
the job in hand and doesn't lead you up the garden path with inaccurate
marketing collateral!  :)
<<<

That's exactly what I was looking for !

Regards,

Dave

--------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.

--------------------------------------------------------------------------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

IDS evaluations procedures david . sames (Jul 12)
- Re: IDS evaluations procedures Joel Esler (Jul 13)
- Re: IDS evaluations procedures Fergus Brooks (Jul 15)
- Re: IDS evaluations procedures Whodini (Jul 15)
- <Possible follow-ups>
- RE: IDS evaluations procedures THolman (Jul 13)
- RE: IDS evaluations procedures THolman (Jul 13)
  - Re: IDS evaluations procedures Adam Powers (Jul 15)
    - Re: IDS evaluations procedures Justin . Ross (Jul 17)
    - RE: IDS evaluations procedures Omar Herrera (Jul 17)
- RE: IDS evaluations procedures Nathan Davidson (Jul 15)
- RE: IDS evaluations procedures Sames, David (Jul 15)
- RE: IDS evaluations procedures Nathan Davidson (Jul 17)
  - Re: IDS evaluations procedures Adam Powers (Jul 17)
  - Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 18)
    - Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 20)
    - Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)
    - Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 22)
    - Re: Firewalls (was Re: IDS evaluations procedures) Nick Black (Jul 21)

(Thread continues...)