Re: amount of alarms generated by IDS
From: Jason (security_at_brvenik.com)
Date: Wed, 12 May 2004 09:44:02 -0400 To: Dennis Cox <firstname.lastname@example.org>
Thank you for the examples Dennis, I am still not convinced that an IPS
provided value otherwise not available. My comments are inline.
Dennis Cox wrote:
> I had to take you up on your offer. Here's a recent example we heard
> back from a customer.
> A large cable company that provides Broadband Internet access uses
> software to monitor and provide troubleshooting support for
> subscribers. When their DNS server changed the software caused a
> terrible traffic problem with a large number of DNS requests. Using our
> IPS they were able to do two things: One Traffic Thresholds gave them
> the ability to detect and act on by blocking or rate shaping
> (administrators choice) the abnormal traffic. The threshold detected a
> large amount of DNS traffic of a certain type and limited DNS traffic
> of this type to a preset amount (10 percent of total bandwidth - it was
> eating up over 70 percent). They were able to write a filter for this
> traffic and install it in the IPS' to remove the traffic in the end. A
> good example of zero day protection.
This is also a great example of how a good firewall / proxy solution
would have been appropriate had it been deployed properly, using a good
firewall the DNS traffic would have been rate limited already by policy.
The firewall/proxy also would have normalized this DNS traffic or denied
it based on spec, it could have also acted as a DNS cache server
reducing total load on the actual DNS server and balancing it
appropriately. I fail to see how an attack was blocked and how the IPS
provided value over existing firewall technology.
> Another example of how an IPS can protect you is by bad network
> equipment. A Sun Server had a bad ethernet cable that was creating
> malformed packets that would knock out the ********** firewall. It
> basically created an ISIC attack in it's own way. An IPS was installed
> and the firewall was fine. The customer however noted that he was still
> dropping lots of traffic. Sure enough the IPS was dropped the invalid
> ethernet frames and notifying them. He investigated - replaced the
> ethernet cable and problem solved.
I am shocked ;-) Was the firewall and host OS fully patched?
This happens all of the time. A good firewall properly configured would
have survived an ISIC test  ( that is what it was initially designed
for IIRC ) and not had a failure requiring the IPS. In addition, a good
network management infrastructure would have alerted the administrator
to a high number of errors on the switch and router interfaces providing
a much faster time to resolution. I still do not see how the IPS added
value over a good firewall / proxy deployment and solid patch management.
> So in both these cases an IPS was able to detect "wacky" network
> conditions and protect the network (or help diagnose - depends on your
> point of view). Your statement regarding patching is true - it's a
> really good idea. However, what do you do when a patch comes out and
> you need to install it on 30,000 machines before the attack comes out
> (sometimes the next day)? Or if your a University - how do you patch
> machines that aren't yours?
Unfortunately the inline device can only help at the border and a good
firewall will already do that, name a single worm of late that would
have made it past a properly deployed and configured firewall / proxy
combination that could not have been mitigated trivially at the same
point in the network. I still maintain my statement from the last mail.
"short of nuisance control and containment of segmented networks it has
little value over the same resources applied to reducing overall risk.
Every place you would deploy an IPS is a perfect place for a good
firewall. $ for $ yen for yen proactive security and patch management
will get much more bang for the buck."
This topic historically goes on and on without end, I would like to stay
on topic and in the context of the stated value of IPS and that is
blocking attacks. Anything else simply validates that an IPS is nothing
more than a firewall with different messaging as is the case with this
To that end I am still looking for examples of any case where an inline
IPS blocked an attack that would not have been blocked or mitigated
otherwise by a good firewall solution and patching or mitigating a known