RE: IDS vs. IPS deployment feedback

["Andrew Plato" <andrew.plato () anitian com>]

> Much of the rhetoric and push for deploying IPS devices that 
> are available seems to come from Marketing and Sales people, 
> not Security professionals. Which is why I am reaching out to 
> you, your experiences and your thoughts surrounding this issue.

Well, I am a security professional, and I am very much sold on IPS. I
can answer some of your issues:

1. Immature Technology

IPS is far from immature. The first in-line IPS was BlackICE Guard. I
installed one of the first in late 1999. And all of the decent IPSs on
the market have roots in IDS, which is many years older. IPS is at least
7 years old and at best 10 or more. In technology terms, that's mature. 

Consider anti-spam technologies. They basically did not exist in 1999.
Now, everybody has some kind of spam control. Is anti-spam a mature
technology?  

2. False Positives

This is ultimately an issue of tuning. If you think you're going to drop
an IPS inline, slap some rules on it, and never touch it again - you
shouldn't be getting an IPS. A well tuned IPS can be pretty lean on
false positives. And frankly, what is worse - a few POSSIBLE disruptions
due to false positives, or getting hacked and 0wn3d and losing your
business. 

Moreover, IPS can dramatically reduce the number of events that require
incident response. With an IPS, when you see a really nasty alert, you
can take note and move along, because you know the IPS blocked it. This
allows you the freedom to analyze more subtle attacks or problems. 

Also, I think the DOS angle is WAY overhyped. Its frankly a weak excuse.
If you consider that almost every switch and router on the market has
plenty of DOS weaknesses, then an IPS really isn't much different. The
DOS fears also stem from the idea that somebody could feed your IPS
internal addresses and hence block normal traffic. Even with the most
rudimentary router ACLs you can ensure this never happens. 

3. Firewalls

Firewalls are not IPSs. All the firewall vendors, especially the big
ones, are clamoring all over themselves to repaint themselves as
"security appliances." Even application firewalls, of which there are
few, rarely are good at true IPS functions. 

The fact is, firewalls are good at one thing - access control. Detailed
protocol analysis and filtering is not what most firewalls were built to
do. And any firewall that has added this feature, has done so merely to
be competitive in the market. I cannot think of any firewalls that were
built from the ground up to be both a good firewall and a good IPS. 

Firewalls, should be left to do what firewalls do best - access control.
Leave the packet inspection to a dedicated system. 

IDS Dead?

IDS may not be dead, but its value is diminishing. While there is a
place for IDS in some environments, I fail to see why anybody would get
a passive defense when active defenses can be deployed to function in a
passive manner. An active system that is deployed passively at least
gives you the option to switch to active mode later.

Moreover, the value of an IDS diminishes even more if you lack in-house
analytical capabilities. The unexamined IDS is not worth having, to
paraphrase good old Socrates.  


These are, of course, my opinions. And naturally, I have a vested
interest in people buying more IPSs - because I sell them. 

_____________________________________
Andrew Plato, CISSP, CISM
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY

Your Expert Partner for Security & Networking

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________

GPG public key available at: http://www.anitian.com/corp/keys.htm 




-----Original Message-----
From: watsont [mailto:thomas.watson.b () bayer com] 
Sent: Thursday, March 16, 2006 11:56 AM
To: focus-ids () securityfocus com
Subject: IDS vs. IPS deployment feedback

_________________________________________________
NOTICE:
This email may contain confidential information, 
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply 
to the message and inform the sender of the error 
and delete the email and any attachments from 
your computer. 
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------