Re: IPS, alternative solutions

From: Jason (security_at_brvenik.com)
Date: 09/17/04

  • Next message: Jeffrey Denton: "Re: What is false alarm rate and false positive rate?"
    Date: Fri, 17 Sep 2004 17:11:38 -0400
    To: "Cure, Samuel J" <scure@kpmg.com>
    
    

    I think we can all agree that IPS is no replacement for Patch
    Management. My point is that there is no demonstrable ROI that I have
    seen for IPS yet there appears to be a perception that it is a more cost
    effective way of dealing with the problem. This is likely a result of
    the parroting by some IPS vendors of a virtual patching concept. I am
    open to the case if it can be shown, this is why I asked anyone to
    provide an actual ROI.

    The way I see it, an IPS can attempt to contain your infestation and
    help reduce your legal exposure from outbound attacks that would
    otherwise make it to your partners... This is a value I can quantify and
    the best use case I have seen for IPS. The problem I have with it is
    that a properly implemented firewall can most likely do the same and
    provide much better overall value.

    With IPS we also have to consider that it is often implemented to "fail
    open" allowing traffic to pass unmolested in the case of a failure. If
    we can all agree that system overload is often the case in worm
    outbreaks then we have a bad situation brewing. I predict that the
    failure will ultimately result in containment being lost when the IPS is
    overwhelmed. I would like to test that prediction IRL if I get a chance.
    Does anyone have real world data surrounding the failure cases under
    extreme load?

    Cure, Samuel J wrote:

    > I agree with Paul that IPS is not a solution to replace existing patch
    > management solutions. In fact, I would not even rely on it to "buy time"
    > until a consolidated update is ready (such as quarterly). There are too many
    > opportunities for exposure while waiting for the consolidated update even
    > WITH IPS installed. There are many encoders available these days that allow
    > for the most commonly detected exploits to be concealed over the wire and
    > bypass IDS/IPS systems.
    >
    > I do agree however with the resource requirements necessary for testing and
    > rolling out each patch or hotfix.
    >
    > Scott, to answer your question on cost effective, perhaps IPS will more than
    > likely be less expensive than the resources required to test and update
    > patches.
    >
    > There are many factors to consider during this evaluation as well such as
    > -standard builds and services that are not needed.
    > -several patch management systems are available today that are starting to
    > take away from the argument of patch test resources being unavailable
    > -IPS technology is being developed that provide more holistic analysis to
    > detect anomalies for zero day and newer exploits. These may have ability to
    > verify encoded exploit packets as well.
    >
    > Just my thoughts,
    >
    > Scure
    >
    > -----Original Message-----
    > From: Palmer, Paul (ISSAtlanta) [mailto:PPalmer@iss.net]
    > Sent: Friday, September 17, 2004 10:36 AM
    > To: Jason; Scott Wimer
    > Cc: Daniel; focus-ids@securityfocus.com
    > Subject: RE: IPS, alternative solutions
    >
    >
    > Jason,
    >
    > The ROI in a medium+ organization does not come from using IPS as a
    > patch replacement system. The IPS lets the organization schedule the
    > patches at its convenience instead of the de facto schedule implied by
    > the release of the patch. That is, without something like an IPS in
    > place, the organization needs to apply patches as quickly as possible to
    > maintain their security posture. This is problematic for many reasons.
    > However, there are two common, major ones. First, it can take months
    > (even longer) to deploy a patch to all levels of an organization. During
    > this time the organization remains vulnerable. Second, it is difficult
    > to manage multiple overlapping patch and/or frequent patch processes.
    >
    > The IPS allows them to delay patch installation until it is convenient
    > and this is where the ROI materializes. The IPS protects the
    > organization until it can deploy the patch everywhere. The ROI here is
    > obvious when a worm hits before you can complete the patch installation.
    >
    > It turns out that the cost to install a dozen patches at once (even from
    > multiple vendors) is not much more than the cost to install one critical
    > patch. So an organization that can defer all patch installation to the
    > beginning of each quarter for example can reap huge dividends over the
    > cost of rolling out each patch individually. They only need to test one
    > set of changes prior to applying them (instead of several per quarter).
    > In addition, the number of different configurations present in the
    > organization at any moment is reduced, thereby lowering support costs.
    >
    > Paul
    >
    > -----Original Message-----
    > From: Jason [mailto:security@brvenik.com]
    > Sent: Wednesday, September 15, 2004 3:47 PM
    > To: Scott Wimer
    > Cc: Daniel; focus-ids@securityfocus.com
    > Subject: Re: IPS, alternative solutions
    >
    >
    > I've heard of no medium+ sized business that is considering deploying
    > inline technology on the internals of the network in a sufficiently
    > pervasive manner that there would be any measurable benefit from the
    > technology over patching and asset management.
    >
    > I would be seriously interested in an ROI that can demonstrate savings.
    >
    > The simple question is how is inline packet scrubbing easier and more
    > cost effective than patching?
    >
    > Scott Wimer wrote:
    >
    >
    >>Daniel,
    >>
    >>I agree with your assessment. What I have encountered in the
    >>financial sector though is a desire to have the packets "scrubbed"
    >>before they reach the servers. People _want_ to deploy network based
    >>IPS tools because it is easier and more cost effective. That it
    >>doesn't seem to be possible yet is another story altogether.
    >>
    >>Regards, Scott Wimer
    >>
    >>On Tue, 2004-09-14 at 06:01, Daniel wrote:
    >>
    >>
    >>>So far there has been a load of talk discussing which is the better
    >>>technology. Personally i dont think IPS is ready for the big time.
    >>>Yeah its great for small mum and dad networks, but for large
    >>>financial networks with billions of pounds flowing across them, would
    >
    >
    >>>you trust a technology to think and block what it seems as bad
    >>>traffic?
    >>>
    >>>So what are the alternatives? I'd say more host based protection such
    >
    >
    >>>as:
    >>>
    >>>- Stack protection - Application level firewalls
    >>>(ModSecurity/SecureIIS) - Host based firewalls
    >>>
    >>>I'm interested to see what everyone else feels are alternatives to
    >>>IPS
    >>>
    >>>
    >>>---------------------------------------------------------------------
    >>>-----
    >>> Test Your IDS
    >>>
    >>>Is your IDS deployed correctly? Find out quickly and easily by
    >>>testing it with real-world attacks from CORE IMPACT. Go to
    >>>http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >>>to learn more.
    >>>
    >
    > ------------------------------------------------------------------------
    > --
    >
    >
    > ------------------------------------------------------------------------
    > --
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT. Go to
    > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
    > learn more.
    > ------------------------------------------------------------------------
    > --
    >
    >
    > --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from CORE
    > IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
    > learn more.
    > --------------------------------------------------------------------------
    >
    >
    > *****************************************************************************
    > The information in this email is confidential and may be legally privileged.
    > It is intended solely for the addressee. Access to this email by anyone else
    > is unauthorized.
    >
    > If you are not the intended recipient, any disclosure, copying, distribution
    > or any action taken or omitted to be taken in reliance on it, is prohibited
    > and may be unlawful. When addressed to our clients any opinions or advice
    > contained in this email are subject to the terms and conditions expressed in
    > the governing KPMG client engagement letter.
    > *****************************************************************************
    >
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------


  • Next message: Jeffrey Denton: "Re: What is false alarm rate and false positive rate?"

    Relevant Pages

    • Re: IPS, alternative solutions
      ... The statement "The ROI here is obvious when a worm hits before you can ... I understand the position that an IPS can buy you some time. ... Delaying a patch several months with or without an IPS is at best making ... > The IPS allows them to delay patch installation until it is convenient ...
      (Focus-IDS)
    • RE: IPS, alternative solutions
      ... I agree with Paul that IPS is not a solution to replace existing patch ... WITH IPS installed. ... Scott, to answer your question on cost effective, perhaps IPS will more than ... obvious when a worm hits before you can complete the patch installation. ...
      (Focus-IDS)
    • RE: IDSIPS that can handle one Gig
      ... thoughts about the relationship between IPS and VM out on the table. ... PES>> Actually, it is an attitude borne out of entirely too much experience ... hundreds per year) where there is an effective patch and vulnerability ... management that can keep pace with the exploits in the wild. ...
      (Focus-IDS)
    • Re: [PATCH] Stability fixes for IPS driver for 4.x
      ... David Sze wrote: ... >> please try the attached patch and let me know the results. ... > The problem I'm having now is that ips does not appear to be PAE-ified. ... Making a driver PAE-ified means either teaching it to do 64-bit ...
      (freebsd-stable)
    • Re: IPS, alternative solutions
      ... >> rolling out each patch or hotfix. ... My point is that there is no demonstrable ROI that I have ... > the parroting by some IPS vendors of a virtual patching concept. ... I think what Samuel posted is the ROI: ...
      (Focus-IDS)