Re: IPS, alternative solutions

• Previous message: Tony Carter: "Re: Wishlist for IPS Products"
• Maybe in reply to: Daniel: "IPS, alternative solutions"
• Next in thread: Murtland, Jerry: "RE: IPS, alternative solutions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 17 Sep 2004 12:34:34 -0400
To: "Palmer, Paul (ISSAtlanta)" <PPalmer@iss.net>

The statement "The ROI here is obvious when a worm hits before you can
complete the patch installation" is provably false.

I understand the position that an IPS can buy you some time. I question
the amount of time it buys and the measurable value provided. It has
been my experience that the IPS fails to adequately protect the network
even if it can cover _all_ of the internal route points. If you can
deploy at all route points it still only limits the damage to the local
segment in the case of a compromise, provided it is actually configured
to block that traffic. This is where the "worm" case completely breaks
down and the ROI is provably false.

Delaying a patch several months with or without an IPS is at best making
a bet with the devil. A single compromised laptop becomes an entry point
to the network thus completely bypassing the IPS. This means that any
failure of access control results in the network being fully infected in
minutes.

I have several examples of very security conscious organizations being
bitten by this single failure, in one case several weeks after the
initial worm release. The interesting thing is that the existing
firewall successfully kept the worm out of the network for two weeks and
the internal firewalls sheltered some servers where possible when the
laptop entered however they still had a large infestation of systems to
cope with.

This is why I am looking for an ROI model that shows how the IPS can
adequately protect against the threat while showing value over applying
the same money to accelerate testing and application of patches or
mitigating the threat on the node itself.

I see where a case could be made that a host based product can provide
some shelter but I fail to see how a network based product could.
Practical observation shows us that the software based solutions,
available for years, have failed to achieve the goal while having much
higher saturation rates. They have also become threats themselves due to
vulnerabilities and the regression issues they introduce. This
ultimately slows down proper patching and mitigation further which is a
net negative effect.

I have even heard of companies disabling SP2 firewall capabilities so
that they can scan the hosts for vulnerabilities. This is flying in the
face of best practice, with the firewall enabled they have no network
exposure and thus no vulnerabilities exposed to the scanner. We end up
back to the asset management and patching methodology as the only
sustainable solution.

Palmer, Paul (ISSAtlanta) wrote:
> Jason,
>
> The ROI in a medium+ organization does not come from using IPS as a
> patch replacement system. The IPS lets the organization schedule the
> patches at its convenience instead of the de facto schedule implied by
> the release of the patch. That is, without something like an IPS in
> place, the organization needs to apply patches as quickly as possible to
> maintain their security posture. This is problematic for many reasons.
> However, there are two common, major ones. First, it can take months
> (even longer) to deploy a patch to all levels of an organization. During
> this time the organization remains vulnerable. Second, it is difficult
> to manage multiple overlapping patch and/or frequent patch processes.
>
> The IPS allows them to delay patch installation until it is convenient
> and this is where the ROI materializes. The IPS protects the
> organization until it can deploy the patch everywhere. The ROI here is
> obvious when a worm hits before you can complete the patch installation.
>
> It turns out that the cost to install a dozen patches at once (even from
> multiple vendors) is not much more than the cost to install one critical
> patch. So an organization that can defer all patch installation to the
> beginning of each quarter for example can reap huge dividends over the
> cost of rolling out each patch individually. They only need to test one
> set of changes prior to applying them (instead of several per quarter).
> In addition, the number of different configurations present in the
> organization at any moment is reduced, thereby lowering support costs.
>
> Paul
>
> -----Original Message-----
> From: Jason [mailto:security@brvenik.com]
> Sent: Wednesday, September 15, 2004 3:47 PM
> To: Scott Wimer
> Cc: Daniel; focus-ids@securityfocus.com
> Subject: Re: IPS, alternative solutions
>
>
> I've heard of no medium+ sized business that is considering deploying
> inline technology on the internals of the network in a sufficiently
> pervasive manner that there would be any measurable benefit from the
> technology over patching and asset management.
>
> I would be seriously interested in an ROI that can demonstrate savings.
>
> The simple question is how is inline packet scrubbing easier and more
> cost effective than patching?
>
> Scott Wimer wrote:
>
>
>>Daniel,
>>
>>I agree with your assessment. What I have encountered in the
>>financial sector though is a desire to have the packets "scrubbed"
>>before they reach the servers. People _want_ to deploy network based
>>IPS tools because it is easier and more cost effective. That it
>>doesn't seem to be possible yet is another story altogether.
>>
>>Regards, Scott Wimer
>>
>>On Tue, 2004-09-14 at 06:01, Daniel wrote:
>>
>>
>>>So far there has been a load of talk discussing which is the better
>>>technology. Personally i dont think IPS is ready for the big time.
>>>Yeah its great for small mum and dad networks, but for large
>>>financial networks with billions of pounds flowing across them, would
>
>
>>>you trust a technology to think and block what it seems as bad
>>>traffic?
>>>
>>>So what are the alternatives? I'd say more host based protection such
>
>
>>>as:
>>>
>>>- Stack protection - Application level firewalls
>>>(ModSecurity/SecureIIS) - Host based firewalls
>>>
>>>I'm interested to see what everyone else feels are alternatives to
>>>IPS
>>>
>>>
>>>---------------------------------------------------------------------
>>>-----
>>> Test Your IDS
>>>
>>>Is your IDS deployed correctly? Find out quickly and easily by
>>>testing it with real-world attacks from CORE IMPACT. Go to
>>>http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>>>to learn more.
>>>
>
> ------------------------------------------------------------------------
> --
>
>
> ------------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT. Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
> learn more.
> ------------------------------------------------------------------------
> --
>
>

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

• Previous message: Tony Carter: "Re: Wishlist for IPS Products"
• Maybe in reply to: Daniel: "IPS, alternative solutions"
• Next in thread: Murtland, Jerry: "RE: IPS, alternative solutions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]