Snort mailing list archives
Re: New Trend: Intrusion Prevention
From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 13 Dec 2002 17:21:25 -0500
Hi Paul,I went into this on the Focus-IDS mailing list a month or so ago. Basically, I believe IPS to be more of a threat to (or the future of) firewalls. Network intrusion prevention devices sit in-line and provide permit/deny access control for packet streams based on whether or not they're attacks. Presumably it would be relatively easy as a subset of functionality to add stateful packet filtering that's just as good or better than any existing firewalling mechanisms. Netscreen and Checkpoint have figured this out which is why you see them making aggressive moves in the IPS space. Intrusion detection devices have a VERY different role in the network security hierarchy, they provide *awareness* of what's happening on your network, verification of policy compliance and detection of potential threats and anomalies.
Let me lay out two scenarios that illustrate why intrusion prevention != intrusion detection and why it's unlikely that IPS will ever replace IDS (and how everyone who's trying to tell you it will is trying to sell you something):
1) IPS devices only guard the peering points (at best) of the network. In the case of an attack between hosts on the same broadcast network (inside the peering point) you have absolutely no coverage from the IPS. In that case you'll need to have an IDS to tell you what's going on. For example, someone in engineering decides to give him self a raise by hacking into the accounting department and making it so, your IPS has no visibility into this traffic so it's quite worthless. Your IDS can see this traffic, however, and collect the relevant information for detection/enforcement of policy and evidence for law enforcement.
2) No IPS is going to be perfect, so attacks are going to slip through them. It can be attacks that they don't know about (new buffer overflows, etc) or even traffic that's legitimate but hostile in your environment, like non-anonymous logins to your anonymous FTP server. If an attack gets by an IDS, how will you know? You better have a pretty good IDS to tell you, that's how.
There are several other things I could highlight, but I think this illustrates the point pretty well and it's Friday and late and I feel like going home. :)
-Marty
On Friday, December 13, 2002, at 12:30 PM, Sheahan, Paul (PCLN-NW)
wrote:
I attended Infosecurity 2002 yesterday and there was much talk aboutintrusion detection going away, and intrusion prevention replacing it. Doesanyone know if there are any plans to include intrusion prevention functionality into Snort in the future? Thanks, Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This sf.net email is sponsored by:With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New Trend: Intrusion Prevention Sheahan, Paul (PCLN-NW) (Dec 13)
- Re: New Trend: Intrusion Prevention Alberto Gonzalez (Dec 13)
- Re: New Trend: Intrusion Prevention Martin Roesch (Dec 13)
- RE: New Trend: Intrusion Prevention Ofir Arkin (Dec 14)
- Re: New Trend: Intrusion Prevention Kevin Black (Dec 15)
- Re: New Trend: Intrusion Prevention Frank Knobbe (Dec 15)
- Re: New Trend: Intrusion Prevention Kevin Black (Dec 15)
- Re: New Trend: Intrusion Prevention Frank Knobbe (Dec 15)
- RE: New Trend: Intrusion Prevention Ofir Arkin (Dec 14)
- <Possible follow-ups>
- RE: New Trend: Intrusion Prevention Steve Halligan (Dec 13)
- RE: New Trend: Intrusion Prevention Nathan Whitehouse (Dec 13)
- RE: New Trend: Intrusion Prevention Ibarra, Michael (Dec 13)
- RE: New Trend: Intrusion Prevention twig les (Dec 13)
- Re: New Trend: Intrusion Prevention Erick Mechler (Dec 13)
- RE: New Trend: Intrusion Prevention twig les (Dec 13)