Snort mailing list archives

RE: New Trend: Intrusion Prevention

From: "Ofir Arkin" <ofir () sys-security com>
Date: Sat, 14 Dec 2002 10:41:06 +0200

All,

We cannot dismiss the importance of both IDS and IPS to the security
arena. 

Unlike Marty I do not believe that IPS is a real threat to the
traditional Firewall market and for the big players. If one is familiar
with the recent add-ons and special features Checkpoint firewall NG has
and the ability to control desktop machines through the usage of central
policy and to control authority he can clearly see the difference. Not
that the big firewall players are not seeking other markets...

IPS is good to be installed on servers you wish to lay another layer of
security by controlling the system calls and/or controlling the specific
protocols allowed to that server and their respective known (and
sometimes unknown) attacks. You are able to defend you servers against
different threats. In my opinion it is a good concept, and one that is
very helpful. Sure, fine tuning might be a pain, but there are products
with generic defenses for some attacks that you simply do not need to
worry about those any more (take for example Entercept
www.entercept.com). 

Both technologies should be placed in a network and they do not replace
each other. They both present a very important aspect of security for an
organization.

An IPS has a limited view on the Host it serves and like a host IDS it
lacks the global view. The issue of log/alert correlation is another
buzz word which is constantly getting into the security product market
(for example network forensics).

If you do not have correlation between the information gathered by your
IPS systems or by your IDS systems than you will never understand what
stroke you or what is *really* going on. 

This is just my opinion,

Yours,
Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Martin
Roesch
Sent: Saturday, December 14, 2002 12:21 AM
To: Sheahan, Paul (PCLN-NW)
Cc: Snort List (E-mail)
Subject: Re: [Snort-users] New Trend: Intrusion Prevention

Hi Paul,

I went into this on the Focus-IDS mailing list a month or so ago.  
Basically, I believe IPS to be more of a threat to (or the future of) 
firewalls.  Network intrusion prevention devices sit in-line and 
provide permit/deny access control for packet streams based on whether 
or not they're attacks.  Presumably it would be relatively easy as a 
subset of functionality to add stateful packet filtering that's just as 
good or better than any existing firewalling mechanisms.  Netscreen and 
Checkpoint have figured this out which is why you see them making 
aggressive moves in the IPS space.  Intrusion detection devices have a 
VERY different role in the network security hierarchy, they provide 
*awareness* of what's happening on your network, verification of policy 
compliance and detection of potential threats and anomalies.

Let me lay out two scenarios that illustrate why intrusion prevention 
!= intrusion detection and why it's unlikely that IPS will ever replace 
IDS (and how everyone who's trying to tell you it will is trying to 
sell you something):

1) IPS devices only guard the peering points (at best) of the network.  
In the case of an attack between hosts on the same broadcast network 
(inside the peering point) you have absolutely no coverage from the 
IPS.  In that case you'll need to have an IDS to tell you what's going 
on.  For example, someone in engineering decides to give him self a 
raise by hacking into the accounting department and making it so, your 
IPS has no visibility into this traffic so it's quite worthless.  Your 
IDS can see this traffic, however, and collect the relevant information 
for detection/enforcement of policy and evidence for law enforcement.

2) No IPS is going to be perfect, so attacks are going to slip through 
them.  It can be attacks that they don't know about (new buffer 
overflows, etc) or even traffic that's legitimate but hostile in your 
environment, like non-anonymous logins to your anonymous FTP server.  
If an attack gets by an IDS, how will you know?  You better have a 
pretty good IDS to tell you, that's how.

There are several other things I could highlight, but I think this 
illustrates the point pretty well and it's Friday and late and I feel 
like going home. :)

      -Marty


On Friday, December 13, 2002, at 12:30 PM, Sheahan, Paul (PCLN-NW) 
wrote:


I attended Infosecurity 2002 yesterday and there was much talk about
intrusion detection going away, and intrusion prevention replacing it.

Does
anyone know if there are any plans to include intrusion prevention
functionality into Snort in the future?

Thanks,

Paul Sheahan
Manager of Information Security
Priceline.com
paul.sheahan () priceline com




-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

New Trend: Intrusion Prevention Sheahan, Paul (PCLN-NW) (Dec 13)
- Re: New Trend: Intrusion Prevention Alberto Gonzalez (Dec 13)
- Re: New Trend: Intrusion Prevention Martin Roesch (Dec 13)
  - RE: New Trend: Intrusion Prevention Ofir Arkin (Dec 14)
    - Re: New Trend: Intrusion Prevention Kevin Black (Dec 15)
    - Re: New Trend: Intrusion Prevention Frank Knobbe (Dec 15)
    - Re: New Trend: Intrusion Prevention Kevin Black (Dec 15)
    - Re: New Trend: Intrusion Prevention Frank Knobbe (Dec 15)
- <Possible follow-ups>
- RE: New Trend: Intrusion Prevention Steve Halligan (Dec 13)
  - RE: New Trend: Intrusion Prevention Nathan Whitehouse (Dec 13)
- RE: New Trend: Intrusion Prevention Ibarra, Michael (Dec 13)
  - RE: New Trend: Intrusion Prevention twig les (Dec 13)
    - Re: New Trend: Intrusion Prevention Erick Mechler (Dec 13)
- RE: New Trend: Intrusion Prevention SecurityAdmin (Dec 13)

(Thread continues...)