RE: IDS\IPS that can handle one Gig

From: Peter Schawacker (ps_at_tenablesecurity.com)
Date: 06/01/05

  • Next message: ADT: "Re: Value of IDS, ROI"
    To: "'Andrew Plato'" <andrew.plato@anitian.com>
    Date: Wed, 1 Jun 2005 10:41:04 -0700
    
    

    Hiya Andrew,

    I always enjoy reading your posts. Thanks for replying to mine. I've
    answered some of your comments inline below.

    I would be remiss if I were not to warn readers that (here comes the
    "full-disclosure" statement...) I used to pimp IPS and VM for a certain
    company and that I now pimp VM, SIM and related technologies for a different
    one.

    This is a really important conversation, the IPS/VM balance problem. Let's
    keep it going. Having worked with both, I for one would like to get more
    thoughts about the relationship between IPS and VM out on the table.

    Cheers,

    P

    -----Original Message-----
    From: Andrew Plato [mailto:andrew.plato@anitian.com]
    Sent: Wednesday, June 01, 2005 9:12 AM
    To: ps@tenablesecurity.com; focus-ids@securityfocus.com
    Subject: RE: IDS\IPS that can handle one Gig

     
    > Another option, and one that many organizations are beginning to
    favor,
    > is to forget the current, "fashionable" notions of IPS and return
    > to basics -- to focus more closely on vunerability and information
    > management. I believe that if you have a comprehensive, continuous
    > and meaningful flow of information about the environment and an
    > effective vulnerability remediation program, the need for IPS
    > appliances and agents (band-aids) can be reduced dramatically.

    I hear this every now and then from security people, and I think this is
    an attitude borne out of lack of experience with IPS.

    PES>> Actually, it is an attitude borne out of entirely too much experience
    with IPS. (I won't go into detail on my experience, but you can google for
    me if you'd like.)

    I have yet to see an environment (and I am a consultant so I see
    hundreds per year) where there is an effective patch and vulnerability
    management that can keep pace with the exploits in the wild. Quite
    simply, it is impossible to think you can keep a large enterprise
    continuously patched and therefore resistant to the latest
    vulnerabilities.

    PES>> I have seen a few environments that have deployed patch and
    configuration management systems that are effective. I can't mention any by
    name, but they're amongst the top 100 of the Fortune500. Granted, they are
    the exception.

    On average, it can take 20 to 30 days for an organization to roll out a
    single Microsoft Windows patch. That includes testing, troubleshooting,
    and deployment. In 30 days, your environment could be crawling with all
    sorts of filth thanks to unpatched machines.

    PES>> Yes, on _average_ companies struggle mightily with patch roll-outs.
    But not all companies take 20-30 days. My point is that patch management
    can be done. Frankly, most IPS roll-outs fail also and for much the same
    reasons as patch/config management. IPS rules require testing, although
    folks tend not to do bother, just as most don't bother testing patches and
    other changes. Let's also bear in mind that most shops don't test patches
    before deployment -- at least in any sort of formal way.

    PES>> The point of my last post, just to refine it a bit, is that the better
    your Vulnerability Management (including patch and configuration management)
    the less you need IPS. I suppose the converse is also true. I would
    qualify my point by saying that VM and IPS are far from perfect, which is
    why we ("we" being InfoSec practitioners) are constantly faced with weighing
    trade-offs between them.

    Furthermore, if you look at the timeline of when an vulnerability is
    "discovered", then when an exploit hits the streets - that time can be
    days, even hours. In that case, its still weeks before MS or anybody
    releases a patch, and then even more time before you could patch all
    your machines. In this case, even under reasonable, well controlled
    situation most organizations are three to six weeks out from patching
    systems when an exploit is released. That is a ridiculously long period
    of time. A period where that environment could become infested.

    PES>> Yep, the zero-day threat is real, but it's not the whole problem.
    NIPS is but one arrow in the quiver and it has its own virtues and defects.

    Furthermore, a "comprehensive, continuous and meaningful flow of
    information about the environment" means eyeballs. Somebody needs to be
    watching that meaningful flow of information. And while highly trained
    security engineers are an important part of a security team - they won't
    work 24 hours day. People are the most important part of information
    security, but technology works longer hours.

    PES>> Indeed, most security information management and VM systems are
    useless and expensive -- but not all... (I'll spare you the commercial.)

    People also make mistakes and miss things. Its insane to think a
    security admin or a network admin has the time or concentration to sift
    through mountains of data everyday. Nobody will do that job for long -
    or do it well.

    PES>> I couldn't agree more. Fortunately, there are ways to automate the
    sifting process.

    Now, with a good IPS deployment, I can load up a signature update
    (hopefully released BEFORE the exploit hit the streets), and now my
    entire network is secure from the new exploit. I go home and rest easy.
    If I have host-IPS I can update all my workstations too. Now, my patch
    management team has time to roll-out patches in a more controlled and
    logical manner. They are not dashing around at 4AM trying to put out
    fires.

    PES>> Agreed. We're talking about a healthy, well-balanced IPS/VM
    lifestyle.

    IPS gives people control over their environment. And well-run IT
    departments have control over their equipment. They're not constantly
    flailing around or giving themselves impossible tasks.

    PES>> I think you're overselling IPS here, but I've sold IPS too, so I get
    where you're coming from. The gist of what you're saying is largely true.

    That much said, I agree that IPS is sometimes given unrealistic
    expectations. For this, I point the finger squarely at the legions of
    Blackberry pecking vendor reps and cell phone yacking volume resellers
    who say things like "If you're not using <insert technology here>,
    you're not secure!" (that's an actual line, from an actual ad I saw).
    These people could care less about security, they just want to sell
    something. So, they'll tell you anything you want to hear about an IPS.
    And they rely on the ignorance of IT departments to fall for marketing
    BS.

    However, when you peel away the sales people, I sincerely do not think
    IPS is some "fashionable notion." It's a serious and effective way to
    proactively defend a network. I've have seen the benefits.

    PES>> Don't cast aspersions on "fashionable notions"! :-) Just because an
    idea is overblown doesn't mean it's entirely bad. These days it's just not
    possible to sell any nascent technology, no matter how good it is, without
    declaring it a panacea. It's just the nature of the InfoSec Marketing Beast
    to which we are all in some way victims.

    ...

    ___________________________________
    Andrew Plato, CISSP
    President/Principal Consultant
    ANITIAN ENTERPRISE SECURITY

    3800 SW Cedar Hills Blvd, Suite 280
    Beaverton, OR 97005
    503-644-5656 Office
    503-214-8069 Fax
    503-201-0821 Mobile
    www.anitian.com
    ___________________________________

    GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D
    GPG public key available at: http://www.anitian.com/corp/keys.htm
     

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------


  • Next message: ADT: "Re: Value of IDS, ROI"

    Relevant Pages

    • RE: FTP scans from wanadoo.fr
      ... space and they have requested a list of source IPs involved in scanning ... with Wanadoo.fr management, and they need some data to go with it. ... >> I have started gathering IPs and just blocking the networks as wanadoo ... >> For more information on this free incident handling, ...
      (Incidents)
    • Re: How much do you disclose to customers?
      ... network administrators do not know about the test so you don't tell ... IPs to them. ... Management usually doesn't care about such technical ... If they usually act on IDS alarm in some way, ...
      (Pen-Test)
    • RE: How to choose an IDS/FW MSS provider
      ... the device still needs an IP on the local network for management. ... You do not need an IP address to manage an IPS. ... the distribution layer and workstations from other workstations is next. ...
      (Focus-IDS)
    • RE: How to choose an IDS/FW MSS provider
      ... Looking at the different responses to this question, ... the device still needs an IP on the local network for management. ... Sounds like security through obscurity to me. ... You do not need an IP address to manage an IPS. ...
      (Focus-IDS)
    • Re: ROI on IDS/IPS products
      ... environment it was concluded that patch management was addressing an ... being told that their managed firewall on a 20 person branch office was being jacked up from $100/month to $400/month because of the IPS, and I told them that if they put that money into better patch discipline, that it would be better spent. ... I have to agree with naysayers: sticking an IPS out near the firewall on a well managed network isn't going to catch much coming in. ...
      (Focus-IDS)