Re: RE: IDS vs. IPS deployment feedback

[Devdas Bhagat <devdas () dvb homelinux org>]

On 28/03/06 08:46 -0800, Andrew Plato wrote:
>  
> > I for one worry more about downtime than getting hacked.
> > If I am are well organised, patched and secured in depth,
> > the possibility for getting hacked is very low. A 'leet 
> > hacker would probably operate under a IPS/IDS 
> > detectonrange anyway.
>
> Hacking is only one aspect. IPS does a lot more that stop hackers. It
> also stops internal people from doing things they shouldn't. It also can
> spot poorly coded applications, misconfigurations, abuse, theft,
> information leakage, viruses, worms, spyware, P2P, chat, rootkits...and
> many other things. A well tuned IPS controls more than just exploits. It
> can keep unwanted protocols (IRC, NNTP, etc.) out of your network. And
> before you say "well a firewall can do that." No it can't. If you run
> IRC on port 80 it can slice through most firewalls on the market.  
If by firewall, you mean packet filter, then you are correct.
If by firewall, you mean a proxy which validates protocols and is in
default deny mode, then you are just wrong.

If I don't have a proxy for it, I don't let the traffic through works
just fine.

An IPS looks at stuff on the wire, decides what is bad, and blocks it.
A real firewall looks at stuff on the wire, decides what is good, and
allows it. A real firewall hooks into everything (servers, network
equipment, desktops...).

> I have a diagram I use in a presentation on the Myths of IPS. You can
> see it here: http://www.anitian.com/corp/papers/Library/IPS_myths.pdf
> It's the Risk Reduction Bang for the Buck chart. It compares IPS to
> other common security/network technologies such as AV, content
> filtering, firewalls and packet shapers. A well tuned, well managed IPS
> can provide more services and capabilities in one unit than all those
> other technologies combined. As I tell people - firewalls and AV are
> important and should never be overlooked. But once those protections are
> in place, IPS offers the most bang for the buck in security
> technologies.

Once you have a firewall in place, you need a system which analyses logs
and traffic which gets through your firewall.

> Also - you cannot patch your way to security. Patching merely plugs the
> holes you know about. There are, at any given time, hundreds if not
> thousands of holes you don't know about. Good IPS manufacturers are
> deploying protections before exploits hit the public. 
Which is why you need to run secure code in the first place. Bandaids
are not a panacea to vulnerable code.

Really, it would help to compare IPSes with proxies instead of known
broken systems.

Devdas Bhagat

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------