IDS mailing list archives
RE: RE: IDS vs. IPS deployment feedback
From: "Andrew Plato" <andrew.plato () anitian com>
Date: Tue, 28 Mar 2006 08:46:46 -0800
I for one worry more about downtime than getting hacked. If I am are well organised, patched and secured in depth, the possibility for getting hacked is very low. A 'leet hacker would probably operate under a IPS/IDS detectonrange anyway.
Hacking is only one aspect. IPS does a lot more that stop hackers. It also stops internal people from doing things they shouldn't. It also can spot poorly coded applications, misconfigurations, abuse, theft, information leakage, viruses, worms, spyware, P2P, chat, rootkits...and many other things. A well tuned IPS controls more than just exploits. It can keep unwanted protocols (IRC, NNTP, etc.) out of your network. And before you say "well a firewall can do that." No it can't. If you run IRC on port 80 it can slice through most firewalls on the market. I have a diagram I use in a presentation on the Myths of IPS. You can see it here: http://www.anitian.com/corp/papers/Library/IPS_myths.pdf It's the Risk Reduction Bang for the Buck chart. It compares IPS to other common security/network technologies such as AV, content filtering, firewalls and packet shapers. A well tuned, well managed IPS can provide more services and capabilities in one unit than all those other technologies combined. As I tell people - firewalls and AV are important and should never be overlooked. But once those protections are in place, IPS offers the most bang for the buck in security technologies. Also - you cannot patch your way to security. Patching merely plugs the holes you know about. There are, at any given time, hundreds if not thousands of holes you don't know about. Good IPS manufacturers are deploying protections before exploits hit the public.
BEFORE you add an rule to your IPS/IDS you patch for the vulnerability it detects and /or make sure it doesn't pass your firewall. Then you don't need any IPS to block it.
How do you know your firewall is blocking it? How do you know your servers aren't already infected? Are you willing to allow a system to get infected, detect that infection hours if not weeks later when you analyze the firewall logs (assuming you do that) and then fix it. After-the-fact detections allow for infections and problems to happen and get corrected later. Basically, that's like saying "I don't care if the criminals steal my money, I can detect them stealing it and then go back a month later and stop them from doing it again." Without proactive defenses and detection, you could have serious flaws in your firewall rules or server configurations for months and never even know about it. As I like to say, a good IPS can be a checkpoint on your CheckPoint.
Also, I think the DOS angle is WAY overhyped. >>Its frankly a weak
excuse.
By adding IPS, you open up for DoS attacks that was not there before. Why increase risk when you really do not have to ? Imho it is IPS that is WAY overhyped :)
This is like saying, "by buying a car, you open yourself up to an auto accident." Well, sure. There is risk in everything. Its absurd to think that just because something has risk, its useless. Sure, there is a DOS possibility. But, you have that possibility with ANY network equipment you install. A new server, router, switch or anything has the possibility to open you up to a DOS attack. Frankly, it's a bigger risk to have a network that isn't being monitored and protected. The "possibility" for an DoS attack is minor if you consider the benefits. Moreover, good IPSs actually PREVENT DoS attacks. Anybody who runs a decent sized network (at least 10 or more servers) should have some type of active, dynamic protection. The benefits of a well managed and tuned IPS far outweigh the potential problems. _____________________________________ Andrew Plato, CISSP, CISM President/Principal Consultant ANITIAN ENTERPRISE SECURITY Your Expert Partner for Security & Networking 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com _____________________________________ GPG public key available at: http://www.anitian.com/corp/keys.htm _________________________________________________ NOTICE: This email may contain confidential information, and is for the sole use of the intended recipient. If you are not the intended recipient, please reply to the message and inform the sender of the error and delete the email and any attachments from your computer. _________________________________________________ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- IDS vs. IPS deployment feedback watsont (Mar 20)
- Re: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Mar 23)
- <Possible follow-ups>
- RE: IDS vs. IPS deployment feedback Carey, Steve T GARRISON (Mar 21)
- Re: IDS vs. IPS deployment feedback nightelfhunter (Mar 21)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 23)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Mar 27)
- RE: IDS vs. IPS deployment feedback Cojocea, Mike (IST) (Mar 27)
- Re: RE: IDS vs. IPS deployment feedback xris375 (Mar 27)
- RE: RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 28)
- Re: RE: IDS vs. IPS deployment feedback Devdas Bhagat (Mar 29)
- Re: RE: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Mar 31)
- Re: RE: IDS vs. IPS deployment feedback Devdas Bhagat (Mar 29)
- Re: RE: RE: IDS vs. IPS deployment feedback xris375 (Mar 30)
- Re: RE: RE: IDS vs. IPS deployment feedback Sanjay Rawat (Mar 31)
- Re: Re: RE: RE: IDS vs. IPS deployment feedback trashcanmn (Mar 31)
- RE: RE: IDS vs. IPS deployment feedback Andrew Plato (Mar 31)