Re: amount of alarms generated by IDS

From: Jason (security_at_brvenik.com)
Date: 05/12/04

  • Next message: Rob McMillen: "The release of the Honeynet Project's bootable CDROM"
    Date: Wed, 12 May 2004 09:44:02 -0400
    To: Dennis Cox <dcox@tippingpoint.com>
    
    

    Thank you for the examples Dennis, I am still not convinced that an IPS
    provided value otherwise not available. My comments are inline.

    Dennis Cox wrote:
    > Jason,
    >
    > I had to take you up on your offer. Here's a recent example we heard
    > back from a customer.
    >
    > A large cable company that provides Broadband Internet access uses
    > software to monitor and provide troubleshooting support for
    > subscribers. When their DNS server changed the software caused a
    > terrible traffic problem with a large number of DNS requests. Using our
    > IPS they were able to do two things: One Traffic Thresholds gave them
    > the ability to detect and act on by blocking or rate shaping
    > (administrators choice) the abnormal traffic. The threshold detected a
    > large amount of DNS traffic of a certain type and limited DNS traffic
    > of this type to a preset amount (10 percent of total bandwidth - it was
    > eating up over 70 percent). They were able to write a filter for this
    > traffic and install it in the IPS' to remove the traffic in the end. A
    > good example of zero day protection.

    This is also a great example of how a good firewall / proxy solution
    would have been appropriate had it been deployed properly, using a good
    firewall the DNS traffic would have been rate limited already by policy.
    The firewall/proxy also would have normalized this DNS traffic or denied
    it based on spec, it could have also acted as a DNS cache server
    reducing total load on the actual DNS server and balancing it
    appropriately. I fail to see how an attack was blocked and how the IPS
    provided value over existing firewall technology.

    >
    > Another example of how an IPS can protect you is by bad network
    > equipment. A Sun Server had a bad ethernet cable that was creating
    > malformed packets that would knock out the ********** firewall. It
    > basically created an ISIC attack in it's own way. An IPS was installed
    > and the firewall was fine. The customer however noted that he was still
    > dropping lots of traffic. Sure enough the IPS was dropped the invalid
    > ethernet frames and notifying them. He investigated - replaced the
    > ethernet cable and problem solved.

    I am shocked ;-) Was the firewall and host OS fully patched?

    This happens all of the time. A good firewall properly configured would
    have survived an ISIC test [1] ( that is what it was initially designed
    for IIRC ) and not had a failure requiring the IPS. In addition, a good
    network management infrastructure would have alerted the administrator
    to a high number of errors on the switch and router interfaces providing
    a much faster time to resolution. I still do not see how the IPS added
    value over a good firewall / proxy deployment and solid patch management.

    >
    > So in both these cases an IPS was able to detect "wacky" network
    > conditions and protect the network (or help diagnose - depends on your
    > point of view). Your statement regarding patching is true - it's a
    > really good idea. However, what do you do when a patch comes out and
    > you need to install it on 30,000 machines before the attack comes out
    > (sometimes the next day)? Or if your a University - how do you patch
    > machines that aren't yours?

    Unfortunately the inline device can only help at the border and a good
    firewall will already do that, name a single worm of late that would
    have made it past a properly deployed and configured firewall / proxy
    combination that could not have been mitigated trivially at the same
    point in the network. I still maintain my statement from the last mail.

    "short of nuisance control and containment of segmented networks it has
    little value over the same resources applied to reducing overall risk.
    Every place you would deploy an IPS is a perfect place for a good
    firewall. $ for $ yen for yen proactive security and patch management
    will get much more bang for the buck."

    This topic historically goes on and on without end, I would like to stay
    on topic and in the context of the stated value of IPS and that is
    blocking attacks. Anything else simply validates that an IPS is nothing
    more than a firewall with different messaging as is the case with this
    example.

    To that end I am still looking for examples of any case where an inline
    IPS blocked an attack that would not have been blocked or mitigated
    otherwise by a good firewall solution and patching or mitigating a known
    vulnerability.

    [1] - http://www.packetfactory.net/Projects/ISIC/

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------


  • Next message: Rob McMillen: "The release of the Honeynet Project's bootable CDROM"

    Relevant Pages

    • Re: amount of alarms generated by IDS
      ... I have to agree with Rob and I must debate the classification of inline ... IPS as simply an IDS with the ability to drop malicious looking packets. ... The comparison is more appropriately made as a firewall with the ability ...
      (Focus-IDS)
    • Re: Analysing and configuring IPS/IDS Policies
      ... If you have no faith in the firewall or you are concerned about more ... Remove the IPS from the network. ... policies and logs on those devices. ...
      (Focus-IDS)
    • RE: IPS (was: [fw-wiz] Sources for Extranet Designs?)
      ... IPS has been pretty much been expected to weed out the known bad traffics on ... looks for these type of behaviour in a sequence of packets, ... firewall don't make these kind of mistakes. ... decently good ones will go through the trouble of reassembling the packets ...
      (Firewall-Wizards)
    • On the definition of false positive - was: Re: location of an IPS
      ... A false positive is when an attack is detected ... but it wasn't a real attack ... IPS shouldn't ever detect as malicious(valid ... >> front of a firewall? ...
      (Focus-IDS)
    • RE: amount of alarms generated by IDS
      ... Inline IDS exists, it's just what you call your IPS ... will the IPS vendors usurp the firewall vendors or will the firewall ...
      (Focus-IDS)