Firewalls (was Re: IDS evaluations procedures)

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 07/17/05

  • Next message: yogeshmalik77_at_hotmail.com: "ids implementation"
    Date: Sun, 17 Jul 2005 23:30:39 +0530
    To: focus-ids@securityfocus.com
    
    

    On 16/07/05 07:29 -0400, Nathan Davidson wrote:
    > Hi Adam,
    >
    >
    >
    > I am sure Tim can answer this one very well, but over the last 12 months
    > I have spent a lot of time working with IPS in an IDS orientated company.
    > So I thought I share my experiences.
    >
    >
    >
    > When we deploy an in-line IPS solution we define a number of parameters
    > in the policy that should be present in ALL valid requests (White-listing).
    > I use this to filter out all traffic that I know must be malicious. From

    Isn't _all_ traffic supposed to be malicious unless proven safe?

    > my experience this is up to 95% of worm/scan traffic. We then apply IDS
    > style signatures based on known attack vectors (Black-listing) but only
    > on the remaining 5% of traffic. Thus we should have up to 95% less false
    > positives (and generally we do). Additional benefits can be gained by
    > dropping all subsequent packets from an abusing source IP address.
    >
    >
    >
    > An example would be to use an IPS to force all HTTP requests to have the
    > host header www.xyz.com (your sites URL) this will stop a significant
    > proportion of HTTP noise before signature matching.

    Ugh! xyz.com is a legitimate domain. Please use example.com when giving
    examples (or example.net or example.org).

    >
    >
    >
    > Conversely with IDS you just don???t have the ability to white list
    > traffic in this way, I guess you could RST any request that didn???t
    > match the URL but I think fragmented buffer overflows and the like
    > could sneak through - so it???s risky.

    An IDS is not an attack prevention mechanism. An IDS is a tool to detect
    when your active attack detection mechanisms have been bypassed. An IDS is
    passive. It tells you what it can see, but it is not supposed to do
    anything to that traffic. Active elements are called firewalls, and
    firewalls include both packet filters and proxies.

    >
    >
    >
    > As you alluded to, the IPS signatures tend to be less aggressive than
    > those on the IDS which I think reflects the much higher penalty of
    > false positives on an in-line blocking device. For this reason I do
    > still deploy NIDS/HIDS on the inside to collect forensic data, with
    > the added benefit of having a second manufacturers signatures.
    >
    >
    >
    >
    >
    > Internet
    >
    > I
    >
    > IPS
    >
    > I
    >
    > Firewall
    >
    > I
    >
    > I
    >
    > Switch=== NIDS
    >
    > I
    >
    > I
    >
    > HIDS
    >
    > Server
    >
    >

    Internet ===> Packet filter ===> proxy ===> Switch ===> Hardened server
                    | | | |
                    | | NIDS Log analyser
                    | | | |
                     |-----------------|-------------|--------- Reporting
                                                                    tool

    Slightly better architecture.

    Devdas Bhagat

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------


  • Next message: yogeshmalik77_at_hotmail.com: "ids implementation"

    Relevant Pages

    • RE: need your help about IPS and IDS,thanks
      ... We run a SOC with IPSes. ... cause a DoS at high bandwidth), you can mitigate the attack without taking ... traditional firewall and IDS vendors try to protect their market shares. ... The main difference in my opinion is that IPS are inline and can therefore ...
      (Focus-IDS)
    • Re: ROI on IDS/IPS products
      ... since an IPS is nothing more than an IDS that can drop traffic;-) ... By purchasing an IPS from a vendor and enabling even *some* of the signatures for blocking I have established that I trust my vendor and I trust the signature authors to write signatures that are good enough to block an exploit or an attempt to exploit a vulnerability. ...
      (Focus-IDS)
    • Re: Current IDS problems
      ... But false positives are induced in by the researchers ... support, to digest those signatures. ... should be ideal signature to stop blah blah attack, ... implementation or researchers and not actually in IDS ...
      (Focus-IDS)
    • RE: interesting paper on testing sig-based IDS
      ... Is this tool available to the general public as I do a lot of IPS ... IDS they were before with many signatures disabled with 2 NIC's. ... > You may also be interested in Automatic Generation and Analysis of NIDS ... > A common way to elude a signature-based NIDS is to transform an attack ...
      (Focus-IDS)
    • Re: IPS Implementaion
      ... Moving from an IDS centric world to the IPS side is always a big ... If your vendor differentiates between exploit and vulnerability based ... signatures, go ahead and enable the exploit signatures as they typically ... Test Your IDS ...
      (Focus-IDS)