Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor

• Previous message: Gary Halleen (ghalleen): "RE: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
• In reply to: Tim Holman: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
• Next in thread: Frank Knobbe: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 14 Oct 2005 15:05:28 -0600
To: Tim Holman <tim_holman@hotmail.com>

On 10/13/05, Tim Holman <tim_holman@hotmail.com> wrote:
> Hi Jonathan,
>
> Wouldn't you rather block bad traffic, rather than detect it?
> Most companies are moving away from IDS as a protection mechanism, because:
>
> 1) It only detects, and doesn't effectively block intrusions
> 2) Problems with false positives, as by using pattern matching signatures,
> there is always a chance that these patterns also appear in valid traffic

Problems with false positives are inherent in either system. An IPS is
simply an inline IDS with signatures to match. In fact, I think IPS
suffers the most in this regard. Every IPS I have seen touts its
"0day" detection and prevention, but in reality are so neutered as to
be nearly ineffective against anything other than Code Red. If we're
going to talk false positives - and both systems have them - I'll take
one that I can look through and sift out than one that gets the
C-suite upset because it blocked some mission critical app, thus
crying wolf and causing the C-suite to second-guess me and my budget.

Reality is that, while IDS is "dead", IPS is a eunuch.

> 3) Management overheads. An IDS can only be a reasonably effective
> prevention method if there is someone on hand 24/7 to monitor logs and take
> immediate action on intrusions. Even then , the intrusion has got in, as
> admins very rarely use the active blocking features of an IDS (namely
> sending RST packets to kill connections, or modifying upstream ACLs), as
> these are too likely to have an effect on valid traffic

Again, baloney. What you claim is true if an IPS/IDS is your sole
defense against intrusion. If I can't get host-based security in place
and my network is so brittle that an attack bypassing my IPS is a
successful one, I'll hang it up.

If my IDS detects an attack against my Apache server, but doesn't
block it, I'm not sweating it. My Apache server is running on OpenBSD
or Gentoo with GRSEC/PaX, has mod_security installed, is in a chroot
jail, has systrace policies, etc. I'm not too concerned about
something that my IDS detects getting in. I'm more concerned about
something that my IDS doesn't detect, and IPS suffers from the same
problem - don't fool yourself.

> 4) There is absolutely no protection for rate-based attacks (SYN, TCP, UDP
> floods)

Firewall.

> 5) Without maintaining a L3/4 connection/state table, there is no way an
> IDS can be truly stateful. 100% statefulness means that everything from the
> initial SYN to the final RST/FIN packet of a connection is stored in a
> connection table. This requires the device to be INLINE, and operating at
> L3. This is the only way a protection device can provide effective defence
> against L3 attacks. An offline IDS cannot do this.

Yes, it can. NFR has been doing this for years.

>
> I would recommend looking at IPS products instead, so something that you can
> postion inline and get immediate value from.
> If you feel the Cisco IDS is getting a little tired, then an IPS will also
> help take the load off it, by getting rid of Internet white noise, providing
> additional firewall filtering, and also defence against rate-based attacks.
> A true IPS will focus on defining what is GOOD traffic, and assuming all
> else is BAD (and dropping it). By doing this, zero-day attacks can be
> virtually be eliminated, as they all ultimately rely on abuse of a valid
> protocol in the hope of slipping past your protection mechanisms and onto
> your network.
> This works quite well in conjucntion with an IDS, that focuses on searching
> traffic for badness.
> Replacing like for like (IDS for IDS) is not going to give you much value,
> and even the market analysts are recommending against it.
> IDS isn't dead. Far off it, but use it for what it's good for - DETECTION
> and FORENSICS, and not as a device that can insure your network against
> rate-based and zero-day attacks.
>

Firewalls, segmentation, and most importantly, host-based protections
are much more effective here than IPS is. How's my fancy IPS going to
detect that SQL injection attack against my SSL web server? Oh, that's
right - it can't. What about custom encryption? What about CANVAS or
Hydrogen (http://www.immunitysec.com/products-hydrogen.shtml)?
Host-based protections are your only hope here.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

• Previous message: Gary Halleen (ghalleen): "RE: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
• In reply to: Tim Holman: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
• Next in thread: Frank Knobbe: "Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]