Re: Re: [Snort-devel] IDS vs IPS

["Stevo" <checkpoint () ozbergs com>]

AU$0.02  = ~US$0.01 so you're going to have to throw in at least 3 or 4
Aussie cents if you wanna be heard mate!!  :)

----- Original Message -----
From: "Jason" <security () brvenik com>
To: <bwalder () spamcop net>
Cc: "'Mark Teicher'" <mht3 () earthlink net>; "'Jeff Nathan'" <jeff () snort org>;
<Vkmobile () aol com>; <snort-devel () lists sourceforge net>;
<snort-users () lists sourceforge net>
Sent: Wednesday, August 27, 2003 4:36 PM
Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS


> my $.02 AU
>
> Bob Walder wrote:
>
> > > > I would someone on this list to actually define Intrusion
> > > > Prevention System (IPS).
> >
> >
> > OK.....
> >
> > My 0.02 worth is that a Network IPS (NIPS) is a device with two
> > interfaces that operates in-line to detect suspicious traffic and
> > INSTANTLY discard the offending packet and the rest of the suspicious
> > flow.
>
> What we have here is a definition of an IPS that matches pretty closely
> what firewalls have been able to do for some time.
>
> There are packet _inspecting_ firewalls and proxy based firewalls, both
> of these can drop or block the offending traffic. An IPS as defined
> above can even be certain types of routers. These are completely
> different than the "Monitoring" devices designed to observe, they are
> "Control" devices designed to enforce.
>
> I think that lumping in these "new" products with the "Intrusion"
> category is an injustice to the many capable firewalls and routing
> products that have been available for so many years and already
> performing this function.
>
> > IDS, NIDS and HIDS are well-enough defined already, and NO passive IDS
> > device could possibly be described as IPS - even with so-called "active
> > response mechanisms" (i.e. sending TCP resets or ICMP unreachable
> > packets, or reconfiguring a firewall). Given a fast enough connection,
> > by the time the so-called "active response" has been triggered, the
> > payload has been delivered - it is too late!
>
> This here be religion if you ask me. The mere presence of an IDS without
> any active element can be classified as an IPS. Now before we go jumping
> around and hootin and hollerin consider this.
>
> You have a flexible IDS that you can create your own signatures for. The
> signatures you create are designed to verify the firewall policies that
> are supposed to be in place. Any deviation from this policy is unknown
> to the environment and should be mitigated or made known.
>
> Now one might say that the IPS is designed for this, you would be
> correct. The firewall in place is designed for this and the people
> problem most likely caused there to be an unknown threat allowing the
> bypass of the firewall. This same problem still exists for the new breed
> of firewall. You ask how the IDS has performed an IPS role? It has done
> this by alerting your security staff to a situation that needs attention
> before that situation can ever be used to launch an attack. Key to this
> is the use of the "S" or system. Maybe the branding should be IPD for
> Intrusion Prevention Device. Since this device is supposed to prevent
> can you sue if it fails to prevent an intrusion?
>
> > By operating in-line, an effective IPS device can drop the offending
> > packet immediately BEFORE it gets chance to wreak its havoc, and once
> > the flow has been marked as suspicious, the rest of that flow can be
> > handled with very little additional overhead.
> >
> > Of course, in-line devices bring with them their own problems -
> > increased latency, the possibility of false positives wreaking their own
> > special kind of Denial of Service attack, and so on - and that is why
> > they are best thought of as complimentary technologies, at least for
> > now.
>
> Does anyone know how the dropped packet(s) that are part of an
> established session get handled on the server side of the connection?
> This could be my ignorance of how the latest inline devices work, I've
> not had a chance to play with them myself. Some of the questions that I
> have are.
>
> What if the dropped packet thwarts the attack but leaves the session
> open? Will the end server be subjected to a DoS by filling state tables?
>
> What about the mass DoS of services because the IP device sends a reset
> to mitigate this state problem?
>
> What data corruption can the connection being aborted cause? What if the
> suspect packet was in the middle of a database transaction?
>
> What if the sanitized packet ( another way to mitigate the state
> problems ) causes the server to respond with different data? Does this
> create liability issues for the business? What if that data is customer
> data? What if it is your bank account balance being reported as 0?
>
> What if it is used to drop a connection for a protocol designed to re
> establish?
>
> Imagine the use of these firewalls to drop packets that are part of a
> mail message, the mail server can sit and wait for the rest of the data.
> This data never arrives and the connection times out so the sending
> server assumes a problem and queues up the message to send again. Wash,
> Rinse, Repeat. You have created a DoS for both systems.
>
>
> > By the way, don't get TOO hung up on terminology - yes, they WERE
> > originally referred to as Gateway IDS (GIDS) or in-line IDS products -
> > but providing we ensure that the marketing guys don't dilute the term
> > (i.e. by referring to every passive IDS or personal firewall as IPS) -
> > or at least recognise such marketing FUD for what it is - then there is
> > nothing wrong with the term IPS.
>
> I have to disagree here. I think the "I" in IPS implies absolute
> scrutiny of the data seen and when the "PS" is in doubt it can either
> block or raise the issue for further inspection. If you do this then
> what you really have is a gateway IDS.
>
> > Where it gets interesting is the argument that IPS has nothing to do
> > with IDS at all - usually put about by those IPS vendors whose signature
> > set is too small or too prone to false positives to catch the majority
> > of the common exploits out there... IPS is an evolution of IDS, and has
>
> IPS is an evolution of the firewall, a rebranding of existing technology
> in an attempt to capitalize on the security fear present today.
>
> > a whole heap more work to do than an IDS box and thus has to be more
> > reliable and faster - and thus is likely to be quite a bit more
> > expensive for a while yet. Think of it as a "security switch", since
> > once it goes in line it has to behave as much like a switch as it does
> > like an IDS device - and if the vendor expects the network guys to
>
> It has to behave like a firewall not an IDS. Throw up a cluster of CP NG
> and you have just that all the way into multi gigabit speeds with VPN
> and proxies to boot.
>
> > accept it as part of their infrastructure then they'd better be pretty
> > damn sure that it offers minimal latency and maximum resilience. The
> > passive IDS device can do no serious damage to the network
> > infrastructure - if it is "noisy" then it is only the IDS admin who
> > suffers - if it fails, then it causes no network down time. This is not
> > the case with an in-line device.
>
> You also have the failure case where the IPS fails open, that is it
> passes all traffic like a failed tap. You had better hope that there is
> a good firewall there and a good IDS to back you up.
>
> > And just to round off the definitions, we have Host IPS (HIPS). This
> > refers to the Entercepts and Okenas of this world - software wrappers
> > around the OS or critical applications (such as Web servers) that
> > intercept dodgy system or application function calls and prevent them
> > from doing any damage.
> >
> > This is not intended to be an exhaustive definition, but hopefully it
> > goes some way towards explaining what I think is the most reasonable
> > point of view.
> >
> > Now.... Let  the marketing guys get on with their job (spin doctors),
> > ignore everything they have to say, and buy the technology that is most
> > suitable for your requirements - no matter WHAT they call it  ;o)
>
> The definition given above of an IPS plays right into this spin
> doctoring. I think it is important remember that the new definition
> called IPS is the same as the capabilities of modern firewalls and it is
> nothing new, the same problems that have prevented wide usage in the
> firewall space still plague the inline devices and then some extras have
> been added. The phrase "Trust but verify" comes to mind here.
>
> > Regards,
> >
> > Bob Walder
> > Director
> > The NSS Group
>
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users