headers
Devdas Bhagat | 3 Apr 2006 02:49

RE: IDS vs. IPS deployment feedback

On 30/03/06 08:30 -0800, Andrew Plato wrote:
> 
> > If by firewall, you mean a proxy which validates protocols 
> > and is in default deny mode, then you are just wrong.
> 
> > If I don't have a proxy for it, I don't let the traffic through works
> just fine.
> 
> > An IPS looks at stuff on the wire, decides what is bad, and blocks it.
> > A real firewall looks at stuff on the wire, decides what is good, 
> > and allows it. A real firewall hooks into everything (servers, 
> > network equipment, desktops...).
> 
> Proxy firewalls make up a small (and shrinking) percentage of the market
> of firewalls. And having worked with over 500 different companies, my

And that market-share is relevant how? Just because everyone thinks the
world is flat does not make it so.

> experience is that proxy-based firewalls are rarely deployed in the
> manner you describe. The default deny from unknown or unallowed
> protocols is almost ALWAYS turned off because it breaks some important

And that justifies an IPS?

> businesses system that was poorly coded. Furthermore, a proxy validating

Then the right thing to do is to fix the application.

> protocols still cannot stop a lot of exploits. Plenty of exploits live
(Continue reading)

Permalink | Reply | 0 comments |
headers
Will Metcalf | 4 Apr 2006 06:22
Picon
Gravatar

Re: IDS vs. IPS deployment feedback

First let me preface my in line responses by saying that I develop an
open source IPS.

Regards,

Will

> 1. Immature Technology
>
> IPS is far from immature. The first in-line IPS was BlackICE Guard. I
> installed one of the first in late 1999. And all of the decent IPSs on
> the market have roots in IDS, which is many years older. IPS is at least
> 7 years old and at best 10 or more. In technology terms, that's mature.
>
> Consider anti-spam technologies. They basically did not exist in 1999.
> Now, everybody has some kind of spam control. Is anti-spam a mature
> technology?

In comparison to IDS, IPS is a immature technology!  Not only that but
you have to deal with many things on a IPS that you do not have to
worry about on an IDS.  For heavens sake there are still commercial
IPS vendors out there (one of your business partners in fact) that
drop all out of sequence packets... Are you kidding me?!? Don't these
people understand the how the Internet works?  What end's up happening
is that marketing folks for companies pitch IPS as a silver bullet, an
end all be all security solution which is far from the truth.  Please
stop!  In the end you are only going to hurt the reputation of your
company and the reputation of what could be a great complimentary
security technology in an overall security strategy.  All of this
because the industry will have lost faith in the technology due to
(Continue reading)

Permalink | Reply | 1 comment |
headers
Olaf Gellert | 4 Apr 2006 13:11
Picon

Re: System call based IDS for linux?

I know that there exists a patch for libsafe, so it will
work as an IDS-sensor of the prelude IDS framework. Maybe
search for this on www.prelude-ids.org...

Olaf

--

-- 
Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Senior Researcher,                       Consulting GmbH
Phone: (+49) 0700 / PRESECURE           og <at> pre-secure.de

                        A daily view on Internet Attacks
                        https://www.ecsirt.net/sensornet

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Permalink | Reply | 1 comment |
headers
Thomas Choi | 5 Apr 2006 21:29
Favicon

Re: System call based IDS for linux?

You might want to check out a linux-system-call based IDS called Process 
Homeostatis (pH) by Professor Anil Somayaji at Carleton U.  I believe 
you can still download it from his site:
http://www.scs.carleton.ca/~soma/pH/index.html

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Permalink | Reply | 0 comments |
headers
Andrew Plato | 5 Apr 2006 21:19

RE: IDS vs. IPS deployment feedback


> In comparison to IDS, IPS is a immature technology!  
> Not only that but you have to deal with many things 
> on a IPS that you do not have to worry about on an IDS.  
> For heavens sake there are still commercial IPS vendors 
> out there (one of your business partners in fact) that 
> drop all out of sequence packets... Are you kidding me?!? 
> Don't these people understand the how the Internet works? 
> What end's up happening is that marketing folks for 
> companies pitch IPS as a silver bullet, an end all be 
> all security solution which is far from the truth.  
> Please stop!  In the end you are only going to hurt 
> the reputation of your company and the reputation of 
> what could be a great complimentary security technology 
> in an overall security strategy.  All of this because 
> the industry will have lost faith in the technology 
> due to your empty promises and marketing BS.

I have a serious question for you - have you ever been responsible for
an enterprise network and its security? I ask that because the threats
of dropped packets and the "nic that goes bad" all sound like FUD, not
experience. Dropped packets happen when people try to ram 1000mbps
through an IPS rated at 200Mbps. You have to size your IPS accordingly.
And the bad nic is easily solved with bypass units. Again - all this FUD
has many simple answers.  

Furthermore where is all this analytical power coming from? Most
enterprise networks are complex and have limited resources to handle
ANYTHING, let alone security. Most network admins and IT people spend
the majority of their time just keeping their organizations running.
(Continue reading)

Permalink | Reply | 2 comments |
headers
Surya Batchu | 6 Apr 2006 02:34
Picon
Favicon

Multi-processor solutions and performance


Hi,

I was going through the mailing list and there was a
discussion about Multi-processor based solutions and
specifically discussing about Bivio hardware. As I
understand it has 6 processors with one network
processor. Network processor directs the sessions to
these application processors using some kind of hash
calcuated with source IP and destination IP of the
packet. 

Both NFR and Sourcefire confirmed that they have IPS
solution on this hardware.

Does anybody have performance numbers on these boxes?
Specifically, I am interested in 64bytes, 320bytes and
1518 bytes packet UDP throughput performance numbers
AND HTTP connection rate, throughput numbers.

Are there any functionality limitations observed in
these kinds of box solutions?

Thanks
Surya

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
(Continue reading)

Permalink | Reply | 0 comments |
headers
Will Metcalf | 5 Apr 2006 22:28
Picon
Gravatar

Re: IDS vs. IPS deployment feedback

> I have a serious question for you - have you ever been responsible for
> an enterprise network and its security?

I manage information security for an organization of 3500 employees ;-).

I ask that because the threats
> of dropped packets and the "nic that goes bad" all sound like FUD, not
> experience. Dropped packets happen when people try to ram 1000mbps
> through an IPS rated at 200Mbps. You have to size your IPS accordingly.
> And the bad nic is easily solved with bypass units. Again - all this FUD
> has many simple answers.

Really, I had a nic go bad in my IPS....  Your trying to say that
hardware never goes bad?  What happens  when your IPS fails open and
you don't have anything  passively monitoring your network to log a
successful exploitation that your IPS was previously stopping.

> Furthermore where is all this analytical power coming from? Most
> enterprise networks are complex and have limited resources to handle
> ANYTHING, let alone security.

Talk about FUD, if an organization isn't dedicating resources to
INFOSEC they need to start.  I don't think there is an excuse not to
in this day and age.  As a manager if I had to choose between
educating our INFOSEC staff our buying a shiny new IPS appliance, I
would choose the training every time. Having a good security analyst
that is able to apply his or her knowledge of INFOSEC best practices
to your enterprise is worth more than a hundred IPS devices.

 Most network admins and IT people spend
(Continue reading)

Permalink | Reply | 0 comments |
headers
Basgen, Brian | 6 Apr 2006 19:44
Favicon

RE: IDS vs. IPS deployment feedback


 I'm new to the list, but this flame war is a bit odd. This is an IDS list,
yet the usefulness of IDS is being dismissed?

 This debate could generate some interesting data. In snort, for example,
there are around 5,759 rules (3/31/2006, non-subscription rule base). I
don't have the metrics on hand of how many rules commercial IPS's deploy on
by default (and how many total can be turned on), but I'd guess it is around
500. I'd be interested to know those numbers, if someone has them. A vendor
comparison of rules could also be interesting. 

 What I draw from this ratio is that some 90% of attacks can get through an
IPS solution. That doesn't invalidate the IPS anymore than the IPS
invalidates a firewall, but it does indicate to me that IDS plays an
essential role. 

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Security Architect
Pima Community College
Attachment (smime.p7s): application/x-pkcs7-signature, 3550 bytes
Permalink | Reply | 0 comments |
headers
Andrew Plato | 7 Apr 2006 18:05

RE: IDS vs. IPS deployment feedback

> I'm not saying that an IPS does not have value, I'm saying 
> it should be part of an overall security strategy, not your 
> end all solution for detecting and preventing intrusions, 
> as  the view that it gives even the most novice analyst is 
> far too narrow.

Okay Will, here we agree. An IPS must be part of a larger security
strategy. It cannot stand alone. I completely agree with that.

However, I maintain my position that most businesses lack the analytical
capabilities to deploy resource intensive technologies (like SNORT).
Hence, commercial IPS that can filter off a set of known vulnerabilities
reduces the overall workload and offers a layer of protection. Also, the
majority of attacks in the wild are well-known and easily detected and
blocked. 

_____________________________________
Andrew Plato, CISSP, CISM
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY

Your Expert Partner for Security & Networking

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________
(Continue reading)

Permalink | Reply | 2 comments |
headers
Andrew Plato | 7 Apr 2006 17:54

RE: IDS vs. IPS deployment feedback

Number of rules does not equal quality of IDS/IPS technology. 

Or in other words, just because a IDS/IPS has a zillion rules doesn't
mean those rules are any good. Or that implementing or using that
technology is good. 

Your 500 number is wrong. When you get into the leading commercial IPSs
(TippingPoint, ISS, Juniper, McAfee) these products on average have
2000-3000 signatures. However, in some technologies, one signature
handles an entire class of vulnerabilities. Where Snort needs multiple
signatures for the same vulnerability, ISS can protect against the
vulnerability with 1 signature. TP is the same. I don't know Juniper and
McAfee as well, but I suspect they are similar. 

Snort also has a lot of unique signatures that people have designed for
highly specialized purposes. That is definitely a benefit to some
organizations. But, those signatures are only useful in those unique
situations. And all the commercial products support custom signatures -
so you can do the same thing for your TP or ISS box. 

Furthermore, Snort rules are developed by volunteers (or Sourcefire). As
such, SNORT is usually behind the curve on new signatures. ISS, for
example, does their own independent security research an has signatures
to protect against things that Snort people don't even know about. Other
vendors buy exploits from the hacker market - again giving them access
to vulnerabilities long before it hits the public and subsequently the
people who develop SNORT signatures. 

The 90% thing you're coming up with is just false. You're assuming that
all those signatures represent a serious attack. And you're also
(Continue reading)

Permalink | Reply | 7 comments |

Gmane