Re: ROI on IDS/IPS products

[Joel Jaeggli <joelja () bogus com>]

Ravi Chunduru wrote:
> Nice post.
>
> How does one find out misconfgured Firewalls and NAT boxes using IPS?

Any box that has an unobstructed view of the contents of a network
segment or segements is potentially a great audit tool. Used properly,
the sniffers perspective can tell you a hell of a lot about how you or
your users have have misconfiguration their devices, are not applying
policy internally where they should be, are leaking routes into your igp
for supposedly airwalled  or natted networks, etc. Of course it requires
some treasure hunting in your logs, and there are people who will sell
you still more appliances (nac boxes for example) that can tease out the
same information.

> Ravi
>
> On Thu, Mar 5, 2009 at 9:01 AM, Joel M Snyder <Joel.Snyder () opus1 com> wrote:
> > > Speaking to the roi, someone already observed that in at least one
> > > environment it was concluded that patch management was addressing an
> > > overlapping set of low hanging fruit and that therefore the ips was no
> > > longer earning it's keep.
> > As an interesting coincidence, I advised a client on that last night: they
> > were being told that their managed firewall on a 20 person branch office was
> > being jacked up from $100/month to $400/month because of the IPS, and I told
> > them that if they put that money into better patch discipline, that it would
> > be better spent.
> >
> > HOWEVER, I like to say in my lectures on IPS that focusing on the IPS as a
> > way of preventing intrusion attacks tends to discount the huge value of the
> > IPS. Personally, I have to agree with naysayers: sticking an IPS out near
> > the firewall on a well managed network isn't going to catch much coming in.
> >  But there are LOTS of other wonderful things that the IPS will help tell
> > you about, including:
> >        - internally infected systems
> >        - misconfigured applications
> >        - misconfigured firewalls
> >        - misconfigured routing
> >        - misconfigured NAT boxes (I see this A LOT)
> >        - network usage
> >        - data leaks
> >        - inappropriate applications or unknown applications
> >
> > And I see those as valuable and part of the IPS "earning its keep."  The
> > notion that a properly managed IDS at TJX would have saved them the
> > embarrassment of their data breach is a fiction promoted only by people who
> > don't understand what IPS/IDS does but do want to sell you something.
> >
> > I have some graphs which, in words, essentially say this:
> >
> > - chances someone will break into your network: about 1%
> > - chances that an IPS would have caught it: about 20%
> > (in other words: with a firewall and good patch discipline, it probably
> > won't happen to you, and if it does, the IPS probably won't catch it)
> > AND
> > - chances you have a security problem on your network: 100%
> > - chances an IPS will help you discover and fix these: 100%
> >
> > When I tell clients they need/want/should have an IPS, it's not because of
> > some motivated external attacker this will help, but it's because they need
> > better security visibility in their network and they don't have it.
> >
> > I have a long-standing bet which I have never lost that says if we put an
> > IDS on your network, I can guarantee that it will tell you something about
> > your security that you didn't know, but should.
> >
> > jms
> > --
> > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> > Senior Partner, Opus One       Phone: +1 520 324 0494
> > jms () Opus1 COM                http://www.opus1.com/jms