Re: Intrusion Prevention Systems

From: roy lo (roylo@sr2c.com)
Date: 10/31/02 

Date: Thu, 31 Oct 2002 15:46:02 -0500
From: roy lo <roylo@sr2c.com>
To: roy lo <roylo@sr2c.com>

err.. just notice a wording problem, after I click send
on " determine false positives"
it should really be "false neg. and pos."
sorry ^_^;

roy lo wrote:

> I think there is a very important point is missing here, which is the
> amount of traffic.
> Chances are Yahoo -US along has more hits to it, than let's say maybe
> all of citi-group worldwide.
> And when you have "critical service" + "high traffic" + "24/7 service"
> that is a complete different story,
> then what are you talking about here.
>
> The biggest problem with IPS is that it is lacking the "AI" (or logic)
> to determine false positives. Which is not a big problem in a office env.
> Or even a low-middle traffic site.
> But when you are handle-ing tens of millions concurrent
> access/traffic, then it is a complete different story.
> (try to imagine that IPS "auto-protect" your site every mins or so)
>
> Here, let me give a better example, just per say if the chance of
> having false positive is 1 out of 10 million (this is just some random
> number)
> which in a office env. let's say the average access rate for day is a
> million, which means it will happen once every ten days.
> But in a large web portal site (like yahoo, google, etc..) they might
> have 10 million concurrent per second; which means it will happen
> every second.
>
> The numbers might not be correct (since I made those up), but I think
> you can see the point I'm trying to make.
>
> Like I have been saying for awhile, current IPS is really lacking the
> AI (to learn from patterns and so on)
>
>
> Andrew Plato wrote:
>
>>> From: Stephen P. Berry [mailto:spb@meshuggeneh.net]
>>
>>
>>
>>
>>> The way I see it (and by `see' here I mean `grossly simplify for the
>>> sake of the argument'), there are two main flavours of machine you
>>> might want to protect with one of these gimcracks:
>>>
>>> -Critical services. I.e., a company's online store or something
>>> like that. If this thing goes down, some marketing droid
>>> immediately appears in your office/cube, and starts reciting
>>> figures about how the company starts losing nineteen megadoubloons
>>> a fortnight during outages. So this is the stuff you're really
>>> worried about.
>>> -Random desktops. I.e., everything else. The mean time between
>>> outages depends on when the lusers last took their medication,
>>> and someone else fields the calls for this stuff.
>>>
>>
>>
>> I would agree with your assessment Stephen. However, I think we need to
>> differentiate Network-based IPS (NIPS) from Host-based IPS (HIPS).
>> I don't think we'll be seeing those acronyms on any marketing brochures
>> anytime soon. :-)
>> NIPS are usually in-line firewall/IDS hybrids that can defend systems
>> en-masse. HIPS are usually software that can react to funny behavior and
>> defend the system (usually using some kind of firewall or TCP kill.)
>> I see NIPS products like Guard as "special-use" systems designed to
>> offer a "special" layer of protection to critical systems or systems
>> that are prohibitively difficult to individually secure.
>> The examples I like to point out are:
>>
>> 1. Critical mainframes: These systems are often the lifeblood of
>> financial organizations yet lack a lot of security mechanisms as they
>> are complex and use arcane software. An IPS in front of one of these
>> systems can help defend it from random attacks or even snooping
>> employees.
>> 2. Critical segments: I have one client that has a big bank of Linux
>> clustered machines. These are highly complex system that has a very
>> specific purpose. Due to the complexity of these systems, it is
>> prohibitively difficult to secure each machine individually. Therefore,
>> a Guard unit can be slapped in front of the entire segment and help
>> defend the entire cluster.
>> 3. Temporary defense: Another usage of IPS is in a temporary defense
>> situation. For example, one customer has a DMZ where they are deploying
>> web applications. They need to test and evaluate the use of these
>> applications across the Internet but fear hacks while those systems are
>> in testing. An IPS can offer a temporary defense layer that can analyze
>> what is coming in and help harden those applications from attack.
>> What these products are NOT is a replacement for a firewall or IDS. They
>> are just another option admins can use to help make a network a more
>> resistant and resilient to intrusion.
>>
>> HIPS is a whole different story. In some respects, HIPS is a bit easier
>> to handle and has had more success. Entercept, for example has done
>> quite well with their behavior-based IPS solutions. ISS of course has
>> RealSecure Server Sensor and Desktop Protector which are essentially IPS
>> products.
>> Where HIPS goes astray is when people mix up HIPS with the "personal
>> firewall" market. A HIPS product like Entercept is NOT a personal
>> firewall like ZoneAlarm or Tiny. Zone is a big, dumb lock for home users
>> to feel cozy that their DSL isn't being hacked by script kiddies. It is
>> not an IPS.
>>
>>
>>> Now I'm not suggesting that it's worthless or -harmful- to deploy an
>>> IPS in such a situation---just that there isn't much to justify the
>>> pain and expense of such a deployment. If this is -not- the case,
>>> then I'd submit that you've probably made a nonzero number of GCEs
>>> in the implementation of your network.
>>>
>>
>>
>> There is pain with an IPS installation. But, there is pain ANYTIME you
>> change the dynamics of a network. This is why IPS has to be considered
>> and implemented carefully. But you could say that about any new or
>> emerging technology. Early adopters are going to feel more pain, but
>> they will also be ahead of the curve.
>> The expense can be justified if you consider that it delivers a level of
>> peace of mind. Although there are always ways to thwart these
>> technologies, they do offer an increased degree of security than if they
>> weren't there at all. That translates into some peace of mind,
>> which...however intangible or questionable...has value.
>> __________________________________
>> Andrew Plato, CISSP
>> President / Principal Consultant
>> Anitian Corporation
>>
>> 503-644-5656 Office
>> 503-644-8574 Fax
>> 503-201-0821 Mobile
>> www.anitian.com _______________________________
>>
>>
>>
>>
>
> 

-- 
Roy Lo  
Freelance Consultant 
E-mail -  roylo@sr2c.com

Sun Certified Network Administrator (SCNA)
Sun Certified System Administrator (SCSA)
Cisco Certified Network Associate (CCNA)

Relevant Pages

  • RE: Intrusion Prevention Systems
    ... > of machine you might want to protect with one of these gimcracks: ... differentiate Network-based IPS from Host-based IPS (HIPS). ... What these products are NOT is a replacement for a firewall or IDS. ...
    (Focus-IDS)
  • Re: ForeScout ActiveScout
    ... things are even (no bug or weird network issues), ... false positives COULD rarely occur with weird ... It is not a regular IDS or IPS and in no way comes to ... More complicated benefit is, it will catch attacks, new worms, etc. ...
    (Focus-IDS)
  • Re: Intrusion Prevention Systems
    ... The biggest problem with IPS is that it is lacking the "AI" ... >differentiate Network-based IPS from Host-based IPS (HIPS). ... >What these products are NOT is a replacement for a firewall or IDS. ... >are just another option admins can use to help make a network a more ...
    (Focus-IDS)
  • IDS/IPS Value
    ... I work for NAI so I have to warn you I'm pro IPS. ... but you can put together a combination of HIPS, NIPS, AV and AntiSpam to ... the network instead of NIPS? ...
    (Focus-IDS)
  • Re: IPS, alternative solutions
    ... I have the impression that some of the alternatives to IPS you mentioned ... Parts of the market have matured (network ... implementations (in-line protocol decoding and blocking/active response ... an often deployed technology at this time is ...
    (Focus-IDS)