Snort mailing list archives

Re: Re: [Snort-devel] IDS vs IPS

From: Jason <security () brvenik com>
Date: Wed, 27 Aug 2003 23:16:55 -0400

Thanks, I think the matrix shows fairly well that the _new IPS_ is anatural evolution of the existing firewall.

This is important to point out because there are existing investments infirewalls and these firewalls are rapidly closing the gap where needed.I know that CP has been moving in this direction for a while. It hasalso been my experience that they have been moving at an appropriatepace and the capabilities have been there when I've needed them.

One final statement. You do not need the firewall to log content if youhave an IDS that you can trust will not have a direct impact on thebusiness should it be too critical of the data.

You can also have confidence in your firewall because your IDS verifieswhat you told the firewall to do and covers your arse when you letsomething by because of business requirements or a human error.


Frank Knobbe wrote:

On Wed, 2003-08-27 at 18:36, Jason wrote:

Bob Walder wrote:

My 0.02 worth is that a Network IPS (NIPS) is a device with two
interfaces that operates in-line to detect suspicious traffic and
INSTANTLY discard the offending packet and the rest of the suspicious
flow.


What we have here is a definition of an IPS that matches pretty closely
what firewalls have been able to do for some time.




Not quite. There are difference in the way firewalls and intrusion
detection systems analyze data. For example, I have not seen a firewall
that can identify a CodeRed attempt by name for example. Yeah, you can
block HTTP methods and put limiters on URL's etc (you mentioned CP as an
example which can do that with HTTP content stuff). But I have not come
across a firewall with a 'signature set' like IDS' have them......yet.

It is true that most firewalls are under-utilized. However, an IPS
(being based on an IDS) has capabilities beyond a firewall. Policy
violations (or network flow anomalies) can be detected by firewalls and
cause some sort of reaction/enforcement (CP's SAM is one example).
However, firewalls don't have statistical anomaly detection like some
IDS' do.

Let's draft a matrix of capabilities:

Metric      |  Firewall      |  IDS           |  IPS
-----------------------------------------------------------
Signature   | Limited packet | Extensive      | See IDS
Analysis    | inspection     | signature sets |
            | due to lack of | allow wide     |
            | rule set defin.| pattern match  |
-----------------------------------------------------------
Protocol    | Mostly present | Present        | Present
validation  |                |                |
-----------------------------------------------------------
Traffic flow| Present, that's| Present        | Present
Anomaly Det.| what they do   |                | Present
-----------------------------------------------------------
Statisitcal | Absent         | Present        | Absent (???)
Anomaly Det.|                |                | (as of today)
-----------------------------------------------------------
Packet Log  | Logging mostly | capable of     | See IDS
            | high level     | logging content|
-----------------------------------------------------------
Protocol    | Present        | Absent         | Present
normalizat  |                |                |
ion         |                |                |
===========================================================
Activity    | Active         | Mostly Passive | Active


If someone wants to take this further, feel free. But as you can see,
IPS and firewalls are not quite alike (but neither are IPS and IDS! :)

Regards,
Frank




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Re: [Snort-devel] IDS vs IPS, (continued)
- - Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 27)
    - Re: Re: [Snort-devel] IDS vs IPS Stevo (Aug 27)
    - Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
    - RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 27)
    - RE: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
    - RE: Re: [Snort-devel] IDS vs IPS twig les (Aug 27)
    - RE: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
    - RE: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
    - RE: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
    - RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 28)
    - Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 27)
    - Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
    - Re: Re: [Snort-devel] IDS vs IPS Jeff (Aug 27)
    - Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
    - Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
    - Re: Re: [Snort-devel] IDS vs IPS Jeff Nathan (Sep 01)
    - Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Sep 02)
    - Re: Re: [Snort-devel] IDS vs IPS Jeff Nathan (Aug 30)
    - Re: Re: [Snort-devel] IDS vs IPS Gary Flynn (Sep 02)
    - Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Sep 02)
    - Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Sep 02)

(Thread continues...)