Re: amount of alarms generated by IDS

• Previous message: Rob Shein: "RE: amount of alarms generated by IDS"
• In reply to: Rob Shein: "RE: amount of alarms generated by IDS"
• Next in thread: Dennis Cox: "Re: amount of alarms generated by IDS"
• Reply: Dennis Cox: "Re: amount of alarms generated by IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 11 May 2004 18:12:56 -0400
To: Rob Shein <shoten@starpower.net>

I have to agree with Rob and I must debate the classification of inline
IPS as simply an IDS with the ability to drop malicious looking packets.

The comparison is more appropriately made as a firewall with the ability
to inspect traffic in the context of good or bad in addition to allowed
or disallowed.

Many Inline devices are nothing more than slimmed down proxy based
firewalls of days past marketed differently. The feature set is not even
that different. They understand a set number of protocols, can do
inspection and normalization of those protocols and allow or disallow
based on a match within the protocol. Some of the inline devices have
had network grep capabilities bolted on to facilitate matching of single
packet attacks and the like. This is arguably less effective than using
a proxy based firewall to handle valid application interactions and
blocking all non valid communication.

This functionality is different than what an IDS does and is intended to
do. An IPS cannot be critical of the traffic with an eye to security, it
cannot be deployed in places where inline is not possible, it cannot
monitor local segments... This lack of a critical eye is because of the
many issues related to context and confidence of the data being passed
and is a difficult problem to solve without complete and intimate
understanding of all of the protocols, hosts, and networks involved.
This results in a mildly useful number of attacks that are actually
blocked because the risk of blocking a non attack is high. An IDS OTOH
can inspect the traffic critically with an eye to security and not be
concerned with killing good traffic and thus can audit what the IPS and
firewall have to let through.

Lets flashback a few years, codered just hit, wiped out a lot of
servers, many people had a firewall that was capable of preventing this
attack but could not configure it to do so in a timely manner. This is
the same as an IPS today, short of nuisance control and containment of
segmented networks it has little value over the same resources applied
to reducing overall risk. Every place you would deploy an IPS is a
perfect place for a good firewall. $ for $ yen for yen proactive
security and patch management will get much more bang for the buck.

I am looking for examples of any case where an inline IPS blocked an
attack that would not have been blocked or mitigated otherwise by a good
firewall and patching or mitigating a known vulnerability.

Rob Shein wrote:

> Simple. An inline IDS is one that sits inline, and thus doesn't have to
> listen promiscuously. There are a few situations where you might want this.
> The reason why there are two separate terms..."inline IDS" and "IPS"...is
> because they are two separate things.
>
>
>>-----Original Message-----
>>From: Ravishankar Ithal [mailto:ravi_ithal@yahoo.com]
>>Sent: Tuesday, May 11, 2004 1:14 PM
>>To: Rob Shein; 'Bhargav Bhikkaji'; focus-ids@securityfocus.com
>>Subject: RE: amount of alarms generated by IDS
>>
>>
>>
>>--- Rob Shein <shoten@starpower.net> wrote:
>>
>>>I'm a bit confused here. You're talking about inline IDS and IPS.
>>>Are you using the terms interchangably? If so, you're mistaken;
>>>putting an IDS inline does not make it an IPS. And an IDS inline
>>>shouldn't be dropping packets.
>>
>>If an IDS doesn't have the ability to drop packets, why would
>>you call it "inline"? Note that sitting in the packet path or
>>as an offline box doesn't make any difference in the amount
>>and kind of traffic that the box can actually see, what with
>>spanning on switches. I _am_ using the two terms
>>interchangably, simply because IPSs of today are nothing but
>>IDSs of yesterday with an ability to drop malicious looking packets.
>>
>>
>>>I could see how the signatures could be tuned differently
>>
>>due to the
>>
>>>fact that it is able to ensure that it sees everything, and
>>
>>that could
>>
>>>generate fewer FPs, but aside from that I doubt there would be any
>>>difference. Keep in mind that an inline IDS does not (normally) do
>>>anything to bad traffic, while an IPS takes an active role in
>>>munging/blocking/denying such.
>>>
>>
>>
>>
>>
>>
>>
>>__________________________________
>>Do you Yahoo!?
>>Win a $20,000 Career Makeover at Yahoo! HotJobs
>>http://hotjobs.sweepstakes.yahoo.com/careermakeover
>>
>
>
>
> ---------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
>
>

---------------------------------------------------------------------------

---------------------------------------------------------------------------

• Previous message: Rob Shein: "RE: amount of alarms generated by IDS"
• In reply to: Rob Shein: "RE: amount of alarms generated by IDS"
• Next in thread: Dennis Cox: "Re: amount of alarms generated by IDS"
• Reply: Dennis Cox: "Re: amount of alarms generated by IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]