IDS mailing list archives
Firewalls (was Re: IDS evaluations procedures)
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Sun, 17 Jul 2005 23:30:39 +0530
On 16/07/05 07:29 -0400, Nathan Davidson wrote:
Hi Adam, I am sure Tim can answer this one very well, but over the last 12 months I have spent a lot of time working with IPS in an IDS orientated company. So I thought I share my experiences. When we deploy an in-line IPS solution we define a number of parameters in the policy that should be present in ALL valid requests (White-listing). I use this to filter out all traffic that I know must be malicious. From
Isn't _all_ traffic supposed to be malicious unless proven safe?
my experience this is up to 95% of worm/scan traffic. We then apply IDS style signatures based on known attack vectors (Black-listing) but only on the remaining 5% of traffic. Thus we should have up to 95% less false positives (and generally we do). Additional benefits can be gained by dropping all subsequent packets from an abusing source IP address. An example would be to use an IPS to force all HTTP requests to have the host header www.xyz.com (your sites URL) this will stop a significant proportion of HTTP noise before signature matching.
Ugh! xyz.com is a legitimate domain. Please use example.com when giving examples (or example.net or example.org).
Conversely with IDS you just don???t have the ability to white list traffic in this way, I guess you could RST any request that didn???t match the URL but I think fragmented buffer overflows and the like could sneak through - so it???s risky.
An IDS is not an attack prevention mechanism. An IDS is a tool to detect when your active attack detection mechanisms have been bypassed. An IDS is passive. It tells you what it can see, but it is not supposed to do anything to that traffic. Active elements are called firewalls, and firewalls include both packet filters and proxies.
As you alluded to, the IPS signatures tend to be less aggressive than those on the IDS which I think reflects the much higher penalty of false positives on an in-line blocking device. For this reason I do still deploy NIDS/HIDS on the inside to collect forensic data, with the added benefit of having a second manufacturers signatures. Internet I IPS I Firewall I I Switch=== NIDS I I HIDS Server
Internet ===> Packet filter ===> proxy ===> Switch ===> Hardened server | | | | | | NIDS Log analyser | | | | |-----------------|-------------|--------- Reporting tool Slightly better architecture. Devdas Bhagat ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: IDS evaluations procedures, (continued)
- Re: IDS evaluations procedures Whodini (Jul 15)
- RE: IDS evaluations procedures THolman (Jul 13)
- RE: IDS evaluations procedures THolman (Jul 13)
- Re: IDS evaluations procedures Adam Powers (Jul 15)
- Re: IDS evaluations procedures Justin . Ross (Jul 17)
- RE: IDS evaluations procedures Omar Herrera (Jul 17)
- Re: IDS evaluations procedures Adam Powers (Jul 15)
- RE: IDS evaluations procedures Nathan Davidson (Jul 15)
- RE: IDS evaluations procedures Sames, David (Jul 15)
- RE: IDS evaluations procedures Nathan Davidson (Jul 17)
- Re: IDS evaluations procedures Adam Powers (Jul 17)
- Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 18)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 20)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 22)
- Re: Firewalls (was Re: IDS evaluations procedures) Nick Black (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 22)
- RE: Firewalls (was Re: IDS evaluations procedures) Mike Barkett (Jul 22)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 20)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)