RE: RE: IDS vs. IPS deployment feedback

["Andrew Plato" <andrew.plato () anitian com>]

> I for one worry more about downtime than getting hacked.
> If I am are well organised, patched and secured in depth,
> the possibility for getting hacked is very low. A 'leet 
> hacker would probably operate under a IPS/IDS 
> detectonrange anyway.

Hacking is only one aspect. IPS does a lot more that stop hackers. It
also stops internal people from doing things they shouldn't. It also can
spot poorly coded applications, misconfigurations, abuse, theft,
information leakage, viruses, worms, spyware, P2P, chat, rootkits...and
many other things. A well tuned IPS controls more than just exploits. It
can keep unwanted protocols (IRC, NNTP, etc.) out of your network. And
before you say "well a firewall can do that." No it can't. If you run
IRC on port 80 it can slice through most firewalls on the market.  

I have a diagram I use in a presentation on the Myths of IPS. You can
see it here: http://www.anitian.com/corp/papers/Library/IPS_myths.pdf
It's the Risk Reduction Bang for the Buck chart. It compares IPS to
other common security/network technologies such as AV, content
filtering, firewalls and packet shapers. A well tuned, well managed IPS
can provide more services and capabilities in one unit than all those
other technologies combined. As I tell people - firewalls and AV are
important and should never be overlooked. But once those protections are
in place, IPS offers the most bang for the buck in security
technologies.

Also - you cannot patch your way to security. Patching merely plugs the
holes you know about. There are, at any given time, hundreds if not
thousands of holes you don't know about. Good IPS manufacturers are
deploying protections before exploits hit the public. 


> BEFORE you add an rule to your IPS/IDS you patch for 
> the vulnerability it detects and /or make sure it 
> doesn't pass your firewall. Then you don't need any 
> IPS to block it.

How do you know your firewall is blocking it? How do you know your
servers aren't already infected? Are you willing to allow a system to
get infected, detect that infection hours if not weeks later when you
analyze the firewall logs (assuming you do that) and then fix it.
After-the-fact detections allow for infections and problems to happen
and get corrected later. Basically, that's like saying "I don't care if
the criminals steal my money, I can detect them stealing it and then go
back a month later and stop them from doing it again." 

Without proactive defenses and detection, you could have serious flaws
in your firewall rules or server configurations for months and never
even know about it. As I like to say, a good IPS can be a checkpoint on
your CheckPoint. 

> > Also, I think the DOS angle is WAY overhyped. >>Its frankly a weak
excuse.

> By adding IPS, you open up for DoS attacks that 
> was not there before. Why increase risk when you 
> really do not have to ? Imho it is IPS that is 
> WAY overhyped :)

This is like saying, "by buying a car, you open yourself up to an auto
accident." Well, sure. There is risk in everything. Its absurd to think
that just because something has risk, its useless. 

Sure, there is a DOS possibility. But, you have that possibility with
ANY network equipment you install. A new server, router, switch or
anything has the possibility to open you up to a DOS attack. 

Frankly, it's a bigger risk to have a network that isn't being monitored
and protected. The "possibility" for an DoS attack is minor if you
consider the benefits. Moreover, good IPSs actually PREVENT DoS attacks.


Anybody who runs a decent sized network (at least 10 or more servers)
should have some type of active, dynamic protection. The benefits of a
well managed and tuned IPS far outweigh the potential problems. 

_____________________________________
Andrew Plato, CISSP, CISM
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY

Your Expert Partner for Security & Networking

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________

GPG public key available at: http://www.anitian.com/corp/keys.htm 
_________________________________________________
NOTICE:
This email may contain confidential information, 
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply 
to the message and inform the sender of the error 
and delete the email and any attachments from 
your computer. 
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------