RE: need your help about IPS and IDS,thanks

From: Julius Detritus (julius.detritus_at_ifrance.com)
Date: 11/18/04

  • Next message: Chris Petersen: "RE: need your help about IPS and IDS,thanks"
    To: <focus-ids@securityfocus.com>
    Date: Thu, 18 Nov 2004 11:06:57 +0100
    
    

    Hi,

    We run a SOC with IPSes. They are a lot more feature available on IPSes than
    just blocking offending packets.

    First IPSes can provide bandwidth management:
    1. If you get flooded with legitimate traffic (DDoS like attacks), you can
    isolate the attack on one type of traffic (let's say HTTP) while other
    applications' traffic remains unaffected. (It may be needed though to have
    it at your ISP POP)
    2. You can enforce security policy by limiting some kind of traffic, such as
    P2P.
    3. If some traffic looks suspicious (large volume of weird packets that can
    cause a DoS at high bandwidth), you can mitigate the attack without taking
    the risk of killing legitimate application traffic (it will just be slower)

    Second with an updated list of attack signatures you can get more time for
    patch management. I explain.

    Real IPSes are dedicated hardware designed to handle huge amount of traffic
    (multiple Gbps for the one we use here). It means that they can handle the
    load of internal networks. Then if the vendor provides like a "most recent"
    attack signatures group, your server (and even workstations) will remain
    safe for the time you patch them. It means more time to perform stability
    tests on servers and to have patches or anti-virus updates applied by users
    on their workstations.

    Third, as IPSes are inline, they can apply security mechanism in the place
    of the server you want to protect. As an example, SYNFloods can be
    successfully mitigated by the use of SYN Cookies. However not all OS support
    this feature and it would be very bad time to have it set on each and every
    server.

    And so on...

    It is true that IPSes are in the middle of a marketing storm where
    traditional firewall and IDS vendors try to protect their market shares.
    Also the snort-inline syndrome adds a lot of confusion. But snort-inline has
    been designed for Honeypots, not Corporate or Telco security.

    My 0.02$

    Julius

    -----Message d'origine-----
    De : Andy Cuff [mailto:lists@securitywizardry.com]
    Envoyé : mercredi 17 novembre 2004 07:39
    À : 'Lily'; focus-ids@securityfocus.com
    Objet : RE: need your help about IPS and IDS,thanks

    Lily,
    The main difference in my opinion is that IPS are inline and can therefore
    block more effectively and IDS aren't in line and monitor traffic on a
    segment or switch. Are you wondering about the difference between IPS/IDS
    and Attack Mitigation Systems?

       Regards
       -andy cuff
    The Talisker Network Security Portal
    http://securitywizardry.com
    Computer Network Defence Ltd
    -----Original Message-----
    From: Lily [mailto:xiaoche111@hotmail.com]
    Sent: 13 November 2004 14:53
    To: focus-ids@securityfocus.com
    Subject: need your help about IPS and IDS,thanks

    hi,all
    I have some questions to ask which must be simple to you I think.
    1.IPS must build normal model while IDS can use the abnormal model(misuse
    detection)?If it is what's the difference between the IDS's anomaly
    detection and IPS?
    2.Has someone formally use the data mining technology in the IPS?
    3.Besides the DoS and buffer overflow etc,has any other way be used in IPS
    just like the users behaviour analysis?
    4.Why someone said IPS can not log the trace of the attacks while IDS can
    do?I think IPS can do it easily.Maybe because IPS is in-line and log the
    trace needing many time?
    So depressed with the IDS/IPS and my thesis is flying in the sky:(
    Thank you in advance.

    Lily

    ---
    Incoming mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.797 / Virus Database: 541 - Release Date: 15/11/2004
     
    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.797 / Virus Database: 541 - Release Date: 15/11/2004
     
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    

  • Next message: Chris Petersen: "RE: need your help about IPS and IDS,thanks"