RE: IDS\IPS that can handle one Gig

From: Andrew Plato (
Date: 06/01/05

  • Next message: "Re: New to Snort !!!"
    Date: Wed, 1 Jun 2005 09:11:56 -0700
    To: <>, <>

    > Another option, and one that many organizations are beginning to
    > is to forget the current, "fashionable" notions of IPS and return
    > to basics -- to focus more closely on vunerability and information
    > management. I believe that if you have a comprehensive, continuous
    > and meaningful flow of information about the environment and an
    > effective vulnerability remediation program, the need for IPS
    > appliances and agents (band-aids) can be reduced dramatically.

    I hear this every now and then from security people, and I think this is
    an attitude borne out of lack of experience with IPS.

    I have yet to see an environment (and I am a consultant so I see
    hundreds per year) where there is an effective patch and vulnerability
    management that can keep pace with the exploits in the wild. Quite
    simply, it is impossible to think you can keep a large enterprise
    continuously patched and therefore resistant to the latest

    On average, it can take 20 to 30 days for an organization to roll out a
    single Microsoft Windows patch. That includes testing, troubleshooting,
    and deployment. In 30 days, your environment could be crawling with all
    sorts of filth thanks to unpatched machines.

    Furthermore, if you look at the timeline of when an vulnerability is
    "discovered", then when an exploit hits the streets - that time can be
    days, even hours. In that case, its still weeks before MS or anybody
    releases a patch, and then even more time before you could patch all
    your machines. In this case, even under reasonable, well controlled
    situation most organizations are three to six weeks out from patching
    systems when an exploit is released. That is a ridiculously long period
    of time. A period where that environment could become infested.

    Furthermore, a "comprehensive, continuous and meaningful flow of
    information about the environment" means eyeballs. Somebody needs to be
    watching that meaningful flow of information. And while highly trained
    security engineers are an important part of a security team - they won't
    work 24 hours day. People are the most important part of information
    security, but technology works longer hours.

    People also make mistakes and miss things. Its insane to think a
    security admin or a network admin has the time or concentration to sift
    through mountains of data everyday. Nobody will do that job for long -
    or do it well.

    Now, with a good IPS deployment, I can load up a signature update
    (hopefully released BEFORE the exploit hit the streets), and now my
    entire network is secure from the new exploit. I go home and rest easy.
    If I have host-IPS I can update all my workstations too. Now, my patch
    management team has time to roll-out patches in a more controlled and
    logical manner. They are not dashing around at 4AM trying to put out

    IPS gives people control over their environment. And well-run IT
    departments have control over their equipment. They're not constantly
    flailing around or giving themselves impossible tasks.

    That much said, I agree that IPS is sometimes given unrealistic
    expectations. For this, I point the finger squarely at the legions of
    Blackberry pecking vendor reps and cell phone yacking volume resellers
    who say things like "If you're not using <insert technology here>,
    you're not secure!" (that's an actual line, from an actual ad I saw).
    These people could care less about security, they just want to sell
    something. So, they'll tell you anything you want to hear about an IPS.
    And they rely on the ignorance of IT departments to fall for marketing

    However, when you peel away the sales people, I sincerely do not think
    IPS is some "fashionable notion." It's a serious and effective way to
    proactively defend a network. I've have seen the benefits.

    Andrew Plato, CISSP
    President/Principal Consultant

    3800 SW Cedar Hills Blvd, Suite 280
    Beaverton, OR 97005
    503-644-5656 Office
    503-214-8069 Fax
    503-201-0821 Mobile

    GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D
    GPG public key available at:

    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    Go to
    to learn more.

  • Next message: "Re: New to Snort !!!"

    Relevant Pages

    • Its not personal (Was: Re: APACHE$PRIVILEDGED)
      ... As it is a very useful example of UWSS ... Some background on security and privileged application code... ... With OpenVMS constructs including device drivers (or drivers an ... environment -- most anything. ...
    • Re: IDS vs. IPS deployment feedback
      ... an enterprise network and its security? ... I manage information security for an organization of 3500 employees;-). ... You have to size your IPS accordingly. ... enterprise networks are complex and have limited resources to handle ...
    • RE: adding another defence layer against viruses/worms
      ... Internal auditor - Information security ... which heuristic IPS would you suggest for this task? ... Securing Apache Web Server with thawte Digital Certificate ...
    • [Suspected Spam]RE: Re: I love the smell of whining in the morning...
      ... security conferences we see nowadays. ... what is the big deal if one of the IPS players got bad results? ... Securing Your Online Data Transfer with SSL. ... A guide to understanding SSL certificates, ...
      ... The primary security on OpenVMS and on most other multi-processing operating systems is implemented via the memory management system and via what VAX calls the change-mode routines, via the Alpha SRM PALcode change-mode equivalent, or via what the IA-32 and IA-32e architectures refer to as the call gate. ... With OpenVMS constructs including device drivers )and user-written system services (UWSS; also known as privileged shareable images), these constructs operate in inner processor modes. ... One of the more hazardous situations for system security is a mixed environment; where there are resources shared between trusted and untrusted environments. ... Not only will the operation that requires privileges now be permitted, but other and potentially unintended operations can also be permitted. ...