RE: Wishlist for IPS Products

From: Paine, Steve (Steve.Paine_at_ish.com)
Date: 09/13/04

  • Next message: PS R: "Re: Wishlist for IPS Products" 
    To: focus-ids@securityfocus.com
Date: Mon, 13 Sep 2004 09:59:46 +0200

    Having been through the IPS purchasing cycle, I can input my thoughts.
    (personal of course)

    I think the next big step in IPS will be packet correction/content
    correction.
    Currently most IPS's are packet-based filters passing or dropping packets
    only.

    So my wish for next-gen IPS is:
    We need to be able to cover content checking for non-time critical flows.
    Email, HTTP.
    This will allow to check
    - cross-site scripting issues.
    - gzip encoded content checking for html, mime etc. (requires full-stream
    buffering!)
    - email viruses/spam signature check

    For the future:

    IN effect, the ultimate consumer product would be a combination of all
    in-line device activities into one unit. However, I cant see these market
    segments converging very quickly as there's too many people making too much
    money out of dedicated devices.

    My ideal in-line policer would have:
    Basic port-based stateful firewall
    Intrusion prevention by signature
    Intrusion prevention by anomoly (using historical traffic profiling)
    Anti-virus capabilties (offload to external content scanner?)
    DOS prevention and DOS traceback assistance.
    Traffic policing/shaping on protocol deep-inspection basis (not just
    policing TCP port numbers - this is a requirement for the ever-moving P2P
    polcing challenge)
    billing/statistics output (for usage based services)
    Web-site blocking
    Traffic analysis, growth, projections, analysis - per protocol.
    Lawful interception interfaces for ISP's.
    Assymetric traffic capability.

    Plus all the normal requirements for an in-line device:
    Gbps throughput.
    Gigabit ports. (optical)
    Minimal latency (<2ms)
    Drop-in architecture (bridge mode)
    High availability mode (active-standby)
    Load-sharing mode (active-active)
    240v or 48v operation with dual PSU.
    Management lan interface (10/100)
    Graphical user interface
    Syslog output.
    SNMP trap output.
    SNMP management capability.
    NTP time syncing.
    19" rack mountable
    Live update of ruleset and signatures. (no downtime)
    Minimal downtime for OS upgrades.

    Hope this helps the manufacturers. It probably helps those looking for a
    device too!!

    Steve.

    -----Original Message-----
    From: PS R [mailto:secureyourself@gmail.com]
    Sent: Friday, September 10, 2004 4:18 PM
    To: focus-ids@securityfocus.com
    Subject: Wishlist for IPS Products

    I have seen a lot of discussion about the differences between IDS,
    IPS, and firewalls and the potential for convergence, but I do not
    recall a discussion on the primary features that an IPS should have
    out of the box.

    I am thinking of:
    - Flow Control - limitations on flooding, unused connections, etc...
    - Robust, ACURATE signature base
    - Packet capture - no debate on how much before, as that has been covered
    - Pre-deployment network analysis tools to accelerate deployment
    - Anomaly detection
    - Alert export compatibility with 3rd party event management solutions

    It seems like discussions of this type can only serve to improve the
    products on the market (or coming to the market), since we know at
    least some of the vendors are monitoring this list.

    Jack

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE
    IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
    learn more.
    --------------------------------------------------------------------------

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------

  • Next message: PS R: "Re: Wishlist for IPS Products"

    Relevant Pages

    • IPS test criteria (was IDSIPS that can handle one Gig)
      ... Chris - what makes ICSA particularly relevant when it comes to defining IPS ... Speak to the vendors who were at their recent forum meeting ... a wide range of traffic loads and packet sizes. ... wide range of test criteria). ...
      (Focus-IDS)
    • Re: ROI on IDS/IPS products
      ... Because risk - or more specifically, risk appetite - is a business measurement of business functions. ... Even if the technical capabilities of IPS were perfect, ... If my pretend IPS existed then I'd configure it to only block HTTP traffic if the vendor has rated the signature as being 95% reliable or better. ... How many times have you seen activity that's legit on one network be a sign of something dangerously wrong on another? ...
      (Focus-IDS)
    • Re: Wishlist for IPS Products
      ... Most of the fetaures are common across IDS, ... signature have to be robust and accurate in all three cases. ... IPS products give provision for ... Inline products give quite a bit of advantage ...
      (Focus-IDS)
    • RE: DoS/DDoS Attack
      ... We are now looking into a HA/LB setup of the IPS 5500. ... The attack lasted about ... my favorite rate-based IPS box is Top Layer. ... >header to the packet you're sending, then the kernel just place the packet ...
      (Pen-Test)
    • Re: Cisco IPS dropping packets
      ... IPS fail closed is disabled ... Signature Micro-Engine: OTHER ... SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF ... Signature Micro-Engine: STRING.UDP (1 sigs) ...
      (comp.dcom.sys.cisco)