Re: Wishlist for IPS Products
From: PS R (secureyourself_at_gmail.com)
Date: 09/13/04
- Previous message: Paine, Steve: "RE: Wishlist for IPS Products"
- Maybe in reply to: PS R: "Wishlist for IPS Products"
- Next in thread: Tony Carter: "Re: Wishlist for IPS Products"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 13 Sep 2004 06:29:10 -0400 To: focus-ids@securityfocus.com
Appreciate the response, but I wanted to make it clear that I am not
advocating any of the suggestions listed, just providing a starting
point for the conversation. What I listed is a brief list of what
current vendors are providing.
I agree with you on the acurate detection base and current vendors,
but still feel this should be a requirement. 1200 signatures on an
IPS, of which you can enable only 200 confidently to block = 200 IPS
signatures and 1000 IDS signatures. I would rather discussed
vulnerabilities/exploits covered by the signatures and if you can
cover 10 vulnerabilities with a single signature that does not false
positive, then you are on to something.
Anomaly detection (e.g. new worm detection, detection of new buffer
overflows, etc...) should be a part of the product. This should not
replace a signature base, but be in addition to signature and ACL
parsing.
Tools are helpful, but typically are not a part of the IPS being
shipped. I do believe good baselining tools should be included to do
advanced network analysis/discovery.
Thanks
Jack
On Sun, 12 Sep 2004 00:29:51 -0400, David Maynor <dmaynor@gmail.com> wrote:
> Yeah....I am gonna go ahead and disagree with you on some of these.
>
> > I have seen a lot of discussion about the differences between IDS,
> > IPS, and firewalls and the potential for convergence, but I do not
> > recall a discussion on the primary features that an IPS should have
> > out of the box.
> >
> > I am thinking of:
> > - Flow Control - limitations on flooding, unused connections, etc...
>
> Most of this should be handled by the signature base.
>
> > - Robust, ACURATE signature base
>
> Only way to do this and not create tons of false postives is true
> protocol parsing. This knocks out most IPS vendors like Tipping Point.
>
> > - Packet capture - no debate on how much before, as that has been covered
> > - Pre-deployment network analysis tools to accelerate deployment
> > - Anomaly detection
>
> Why? I have yet to see a system that is more than a parlor trick.
> Anomaly based system are even easier to evade than sig based systems
> that don't do protocol parsing.
>
> What I would add is better tools for testing. Almost nobody grabs a
> copy of Canvas from Immunity or Impact from Core and actually checks
> what attacks are caught. Further more an even fewer number use modded
> copies of public exploits to see if the claims made by vendors are
> actually true. How many vendor's IPS implementation would actual catch
> a MS03-026 exploit if you frag at the RPC layer at a size like 8
> bytes?
>
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
- Previous message: Paine, Steve: "RE: Wishlist for IPS Products"
- Maybe in reply to: PS R: "Wishlist for IPS Products"
- Next in thread: Tony Carter: "Re: Wishlist for IPS Products"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
