Firewalls (was Re: IDS evaluations procedures)

[Devdas Bhagat <devdas () dvb homelinux org>]

On 16/07/05 07:29 -0400, Nathan Davidson wrote:
> Hi Adam,
>
>  
>
> I am sure Tim can answer this one very well, but over the last 12 months
> I have spent a lot of time working with IPS in an IDS orientated company.
> So I thought I share my experiences. 
>
>  
>
> When we deploy an in-line IPS solution we define a number of parameters
> in the policy that should be present in ALL valid requests (White-listing).
> I use this to filter out all traffic that I know must be malicious. From

Isn't _all_ traffic supposed to be malicious unless proven safe? 

> my experience this is up to 95% of worm/scan traffic. We then apply IDS
> style signatures based on known attack vectors (Black-listing) but only
> on the remaining 5% of traffic. Thus we should have up to 95% less false
> positives (and generally we do). Additional benefits can be gained by 
> dropping all subsequent packets from an abusing source IP address. 
>
>  
>
> An example would be to use an IPS to force all HTTP requests to have the
> host header www.xyz.com (your sites URL) this will stop a significant
> proportion of HTTP noise before signature matching.

Ugh! xyz.com is a legitimate domain. Please use example.com when giving
examples (or example.net or example.org).

>  
>
> Conversely with IDS you just don???t have the ability to white list
> traffic in this way, I guess you could RST any request that didn???t
> match the URL but I think fragmented buffer overflows and the like
> could sneak through - so it???s risky.

An IDS is not an attack prevention mechanism. An IDS is a tool to detect
when your active attack detection mechanisms have been bypassed. An IDS is
passive. It tells you what it can see, but it is not supposed to do
anything to that traffic. Active elements are called firewalls, and
firewalls include both packet filters and proxies.

>  
>
> As you alluded to, the IPS signatures tend to be less aggressive than
> those on the IDS which I think reflects the much higher penalty of
> false positives on an in-line blocking device. For this reason I do
> still deploy NIDS/HIDS on the inside to collect forensic data, with
> the added benefit of having a second manufacturers signatures.
>
>  
>
>  
>
> Internet 
>
>      I
>
>    IPS
>
>      I
>
> Firewall
>
>      I
>
>      I 
>
> Switch=== NIDS
>
>      I
>
>      I
>
> HIDS
>
> Server
>
>  

Internet ===> Packet filter ===> proxy ===> Switch ===> Hardened server
                |                 |             |               |
                |                 |             NIDS    Log analyser
                |                 |             |               |
                |-----------------|-------------|--------- Reporting
                                                                tool

Slightly better architecture.

Devdas Bhagat

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------