RE: need your help about IPS and IDS,thanks

From: Julius Detritus (julius.detritus_at_ifrance.com)
Date: 11/18/04

  • Next message: Chris Petersen: "RE: need your help about IPS and IDS,thanks"
    To: <focus-ids@securityfocus.com>
    Date: Thu, 18 Nov 2004 11:06:57 +0100
    
    

    Hi,

    We run a SOC with IPSes. They are a lot more feature available on IPSes than
    just blocking offending packets.

    First IPSes can provide bandwidth management:
    1. If you get flooded with legitimate traffic (DDoS like attacks), you can
    isolate the attack on one type of traffic (let's say HTTP) while other
    applications' traffic remains unaffected. (It may be needed though to have
    it at your ISP POP)
    2. You can enforce security policy by limiting some kind of traffic, such as
    P2P.
    3. If some traffic looks suspicious (large volume of weird packets that can
    cause a DoS at high bandwidth), you can mitigate the attack without taking
    the risk of killing legitimate application traffic (it will just be slower)

    Second with an updated list of attack signatures you can get more time for
    patch management. I explain.

    Real IPSes are dedicated hardware designed to handle huge amount of traffic
    (multiple Gbps for the one we use here). It means that they can handle the
    load of internal networks. Then if the vendor provides like a "most recent"
    attack signatures group, your server (and even workstations) will remain
    safe for the time you patch them. It means more time to perform stability
    tests on servers and to have patches or anti-virus updates applied by users
    on their workstations.

    Third, as IPSes are inline, they can apply security mechanism in the place
    of the server you want to protect. As an example, SYNFloods can be
    successfully mitigated by the use of SYN Cookies. However not all OS support
    this feature and it would be very bad time to have it set on each and every
    server.

    And so on...

    It is true that IPSes are in the middle of a marketing storm where
    traditional firewall and IDS vendors try to protect their market shares.
    Also the snort-inline syndrome adds a lot of confusion. But snort-inline has
    been designed for Honeypots, not Corporate or Telco security.

    My 0.02$

    Julius

    -----Message d'origine-----
    De : Andy Cuff [mailto:lists@securitywizardry.com]
    Envoyé : mercredi 17 novembre 2004 07:39
    À : 'Lily'; focus-ids@securityfocus.com
    Objet : RE: need your help about IPS and IDS,thanks

    Lily,
    The main difference in my opinion is that IPS are inline and can therefore
    block more effectively and IDS aren't in line and monitor traffic on a
    segment or switch. Are you wondering about the difference between IPS/IDS
    and Attack Mitigation Systems?

       Regards
       -andy cuff
    The Talisker Network Security Portal
    http://securitywizardry.com
    Computer Network Defence Ltd
    -----Original Message-----
    From: Lily [mailto:xiaoche111@hotmail.com]
    Sent: 13 November 2004 14:53
    To: focus-ids@securityfocus.com
    Subject: need your help about IPS and IDS,thanks

    hi,all
    I have some questions to ask which must be simple to you I think.
    1.IPS must build normal model while IDS can use the abnormal model(misuse
    detection)?If it is what's the difference between the IDS's anomaly
    detection and IPS?
    2.Has someone formally use the data mining technology in the IPS?
    3.Besides the DoS and buffer overflow etc,has any other way be used in IPS
    just like the users behaviour analysis?
    4.Why someone said IPS can not log the trace of the attacks while IDS can
    do?I think IPS can do it easily.Maybe because IPS is in-line and log the
    trace needing many time?
    So depressed with the IDS/IPS and my thesis is flying in the sky:(
    Thank you in advance.

    Lily

    ---
    Incoming mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.797 / Virus Database: 541 - Release Date: 15/11/2004
     
    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.797 / Virus Database: 541 - Release Date: 15/11/2004
     
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    

  • Next message: Chris Petersen: "RE: need your help about IPS and IDS,thanks"

    Relevant Pages

    • RE: interesting paper on testing sig-based IDS
      ... Is this tool available to the general public as I do a lot of IPS ... IDS they were before with many signatures disabled with 2 NIC's. ... > You may also be interested in Automatic Generation and Analysis of NIDS ... > A common way to elude a signature-based NIDS is to transform an attack ...
      (Focus-IDS)
    • RE: need your help about IPS and IDS,thanks
      ... I think of IPS as IDS with the ability to take action. ... Send TCP Reset (if killing TCP session and not sitting in-line) ... attack you are probably better off. ...
      (Focus-IDS)
    • RE: Firewalls (was Re: IDS evaluations procedures)
      ... It would be difficult to dub IPS as a better firewall as traditional and ... Layer 7 firewalls fall more into the category of the IDS/IPS solutions ... IDS solutions do tend to ... picture of a network under attack. ...
      (Focus-IDS)
    • Re: need your help about IPS and IDS,thanks
      ... 1.I see 'HIPS creates a baseline of normal activity' and 'NIPS to perform pattern-matching between what is known as an attack and the traffic that is traversing the network' in the Web of Vigilar. ... If the meaning of these two sentences is HIPS can only build the normal model to detect while NIPS can use the pattern matching as the IDS? ... If the 'IPS just knows its an attack which needs to be blocked/dropped/reset',what's the meaning of log the traffic?I think the logs is no meaning because of the integrity.These type logs can not distinguish any known attack. ...
      (Focus-IDS)
    • Re: IPS, alternative solutions
      ... they're populated with attack patterns (hopefully in advance of those ... so then why IPS? ... > information on screens and printers, including JPEG image files. ... > - Embedded in Word sent as a MIME encoded mail ...
      (Focus-IDS)