nanog mailing list archives
Re: recommendations regarding IPS
From: Valdis.Kletnieks () vt edu
Date: Fri, 31 Mar 2006 21:11:25 -0500
On Fri, 31 Mar 2006 16:16:29 +0200, "Hegger, Stefan" said:
We have a 2 Gbps connection with about about 200kpps in- and outgoing traffic, and I don't want to pipe the traffic through software, fpgas are ok. Our problems are DDoS and we want to have a stateful packet inspection.
What actual *problem* are you trying to solve by installing an IPS? Note that simple traffic graphs are usually enough to spot a DDoS - and if the attacker is clever enough, the packets will *look* sane enough to pass the IPS's muster and not be flagged. Remember that in most cases, a packet flagged by an IPS falls into one of several categories: 1) False positive. You just nuked a legitimate connection. Whoops. 2) A packet that wouldn't have done anything anyhow because you've already patched the vulnerability. Who cares? 3) The very rare packet that exploits a vulnerability you haven't been able to harden the target against yet. At this point, the IPS is being used as a crutch to cover up the fact you haven't hardened the target box (and yes, I'm fully aware of "but its runnning MobyFooBar that isn't certified on any release of the OS later than 1997" issues... doesn't change the fact that you haven't hardened the box, does it? ;) 4) A very important class of packets that the IPS does *NOT* alert on is the one it doesn't match to a vulnerability template, either because it's a 0-day you don't have a template for, or because the source of the packet is inside your border (got any wireless? Anyplace a user connects a laptop? Any machines that might have gotten whacked with spyware or other malware, opening up an *outbound* connection that your IPS will likely pass as OK?) And don't forget that the IPS is Yet Another Log To Read. Unless you're also hiring more manpower to feed the beast and clean up after it, it's worse than useless, as it's taking away from all the OTHER things you're already doing. And of course, getting one to do anything reasonable about "malicious traffic FOO carried over SSL/443" is a major technical challenge - which is why you're likely to see malicious traffic buried under the SSL.. ;)
Attachment:
_bin
Description:
Current thread:
- recommendations regarding IPS Hegger, Stefan (Mar 31)
- Re: recommendations regarding IPS Robert E . Seastrom (Mar 31)
- Re: recommendations regarding IPS Hegger, Stefan (Mar 31)
- RE: recommendations regarding IPS Edward W. Ray (Mar 31)
- Re: recommendations regarding IPS Gadi Evron (Mar 31)
- RE: recommendations regarding IPS Edward W. Ray (Mar 31)
- Re: recommendations regarding IPS Hegger, Stefan (Mar 31)
- Re: recommendations regarding IPS Valdis . Kletnieks (Mar 31)
- Re: recommendations regarding IPS Robert E . Seastrom (Mar 31)
- <Possible follow-ups>
- Re: recommendations regarding IPS Fergie (Mar 31)
- Re: recommendations regarding IPS Gadi Evron (Mar 31)
- Re: recommendations regarding IPS Fergie (Mar 31)