RE: re[2]: Gateway IDS

From: Ian Peters (ian@ianpeters.net)
Date: 06/27/02 

From: "Ian Peters" <ian@ianpeters.net>
To: <focus-ids@securityfocus.com>
Date: Thu, 27 Jun 2002 16:48:29 +0100

Additionally, one can imagine these solutions being a) phased in slowly, and
b) targeted at specific uses.

For example, you won't necessarily IDS _all_ traffic in and out, but instead
will target critical/more-likely-to-be-attacked/indicator systems. For
example, in addition to all the MASQ rules, martian packets etc which are
supported, for example, by iptables, you may just want to run a subset of
signatures against incoming traffic to port 80 of your webserver (i.e.
checking for attack signatures), and a different subset on outgoing traffic
from the webserver (i.e. looking to see if we've been compromised).

As such, latency effects can be minimised. It all comes down to how the
technology is applied, rather than the technology itself.

Just a few ideas,

Ian

> -----Original Message-----
> From: Christopher Cantrell [mailto:cantrell@onesecure.com]
> Sent: 27 June 2002 13:46
> To: Frank Knobbe; Hiemstra, Brenno
> Cc: 'Jochen Vogel'; focus-ids@securityfocus.com
> Subject: re[2]: Gateway IDS
>
>
> Hi Frank,
>
> >> While nice in concept, I doubt that these gateway IDS will find wide
> >> acceptance due to their latency. Signature sets are growing,
> protocols
> >> are added, but at the same time, bandwidth demand is
> increasing. I doubt
> >> GIDS will win that race...
>
> I think you have a great point about latency but it is
> interesting to hear you don't believe of wide acceptance due to
> latency. 5 years ago, some people thought this about firewalls
> and now it has become a critical component to the security of a
> network. The advancements in that technology proved not to
> impact performance. The advancements being made now in IDS
> technology (layer 2 and layer 3 support, high availability,
> load-balanced, STP, stateful (context-based) signatures, etc) all
> lead to products which can be integrated inline while providing
> packet processing "and" threat detection at speeds similar to
> firewalls today. With these rapid developments being made, I
> would argue there will be a mass mindset shift to implement
> inline over passive devices in the next 12 months.
>
> Just my 2 cents
>
> Best regards,
> -chris
>
>

Relevant Pages

  • Re: Value of "richer" signatures?
    ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
    (Focus-IDS)
  • RE: Value of "richer" signatures?
    ... Is it that much faster to do "protocol parsing" than ... > Here's an example of how the newer IDS signatures help ... > Let's say you are using a simple packet grepping IDS ...
    (Focus-IDS)
  • RE: Testing IDS/IPS Signatures
    ... can a scanner be used to validate the IDS ... True, Nessus can help in testing signatures but IMHO, it has limitations. ... > service features in Nessus and NeWT to see what is in fact ...
    (Focus-IDS)
  • RE: Comparing the performance of two IDS products with different architectures
    ... Comparing the performance of two IDS products with different architectures ... An interesting point, “a packet is only tested for a signature when needed, and not when it isn't ... and only tests signatures that apply to those contents. ... could argue all day long about the strengths and weaknesses of “pattern matching” vs “protocol ...
    (Focus-IDS)
  • Re: How to choose an IDS/FW MSS provider
    ... > people's IDS technologies, their opaqueness drives a constant nagging ... not becuase your signatures are open. ... NFR is not a free ... >> Senior Systems Engineer ...
    (Focus-IDS)