Re: IDS\IPS that can handle one Gig

[Devdas Bhagat <devdas () dvb homelinux org>]

On 01/06/05 09:11 -0700, Andrew Plato wrote:
>  
> > Another option, and one that many organizations are beginning to
> favor, 
> > is to forget the current, "fashionable" notions of IPS and return 
> > to basics -- to focus more closely on vunerability and information 
> > management.  I believe that if you have a comprehensive, continuous 
> > and meaningful flow of information about the environment and an 
> > effective vulnerability remediation program, the need for IPS 
> > appliances and agents (band-aids) can be reduced dramatically.  
>
> I hear this every now and then from security people, and I think this is
> an attitude borne out of lack of experience with IPS. 
Or maybe it just happens to be the right attitude?

> I have yet to see an environment (and I am a consultant so I see
> hundreds per year) where there is an effective patch and vulnerability
> management that can keep pace with the exploits in the wild. Quite

You need to worry about exploits in the wild where you allow weak
security and lots of connectivity.

> simply, it is impossible to think you can keep a large enterprise
> continuously patched and therefore resistant to the latest
> vulnerabilities. 

It isn't hard. If you use proxies, and limit what traffic is allowed
through the proxy, then you can often stop the exploit du jour by simply
not having a proxy for it, or controlling content at the proxy. Not using 
IE/Outlook/Outlook Express also reduces the vulnerability surface by a 
very large extent.

> On average, it can take 20 to 30 days for an organization to roll out a
> single Microsoft Windows patch. That includes testing, troubleshooting,
> and deployment. In 30 days, your environment could be crawling with all
> sorts of filth thanks to unpatched machines.
How many of those sytems need exposure to the Internet? How many of them
_need_ to run Windows? 

IPSes are attempts to make proxies which reject only bad traffic. this
is contrary to the standard security posture that only known good
traffic should be allowed to pass. Makes life a lot easier if you can
simply block ActiveX at the edge. That still leaves Javascript holes,
but even those can be controlled with a suitable proxy.
Repeat for other protocols.

> Furthermore, if you look at the timeline of when an vulnerability is
> "discovered", then when an exploit hits the streets - that time can be
> days, even hours. In that case, its still weeks before MS or anybody
> releases a patch, and then even more time before you could patch all
> your machines. In this case, even under reasonable, well controlled
> situation most organizations are three to six weeks out from patching
> systems when an exploit is released. That is a ridiculously long period
> of time. A period where that environment could become infested. 

A system which is not connected to the network cannot be exploited from
the network.
 
> Furthermore, a "comprehensive, continuous and meaningful flow of
> information about the environment" means eyeballs. Somebody needs to be
> watching that meaningful flow of information. And while highly trained
> security engineers are an important part of a security team - they won't
> work 24 hours day. People are the most important part of information
> security, but technology works longer hours. 
That is what network monitoring/management systems are for (including
IDS).

> People also make mistakes and miss things. Its insane to think a
> security admin or a network admin has the time or concentration to sift
> through mountains of data everyday. Nobody will do that job for long -
> or do it well.  
>
> Now, with a good IPS deployment, I can load up a signature update
> (hopefully released BEFORE the exploit hit the streets), and now my
> entire network is secure from the new exploit. I go home and rest easy.

Until someone comes up with a variant of that exploit. Or the IPS gets
swamped and fails open. Or the exploit hits over an encrypted tunnel.
Or you get hit by a zero day. You are blocking known bad traffic, not
allowing known good traffic.

Devdas Bhagat

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------