RE: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor

From: Gary Halleen (ghalleen) (ghalleen_at_cisco.com)
Date: 10/20/05

  • Next message: Gary Halleen (ghalleen): "RE: location of an IPS"
    Date: Wed, 19 Oct 2005 22:00:03 -0700
    To: <focus-ids@securityfocus.com>
    
    

    Tom,
     
    Cisco IPS is not simply an inline IDS. Yes, it utilizes signatures to
    identify attacks. In addition, though, it performs these actions, all
    of which are features of an IPS:

    1. Traffic Normalization
    2. Anomaly Detection
    3. Stateful Inspection
    4. Protocol Compliance
    5. Denial-of-Service (DoS) Protection

    Our IPS was tested by NSS in their most recent testing, and the results,
    which were quite good, are publicly available. You can access the
    report at http://www.nss.co.uk/ips/edition3/index.htm
     
    I don't believe a network-based IPS exists yet that can truly provide
    zero-day, or zero-hour, worm protection all by itself. Utilizing
    capabilities like netflow, perhaps a product can identify when a worm
    may have infected, or is trying to infect, your network, but stop it?
     
    We have a long-term agreement with Trend Micro, and provide very fast
    protection against worms. Our IPS products (appliances, blades, and IOS
    routing software) are now able to have anti-worm and anti-virus
    signatures applied automatically within minutes of a new worm or virus
    being discovered in the wild. Many people call this fast response to a
    worm or virus "zero-day", but in my opinion this is simply fast response
    to threats. True zero-day protection implies that no updates are needed
    at all to provide the protection, because protection occurs immediately.
    Our true, zero-day protection is host-based with Cisco Security Agent
    (CSA).
     
    CSA is behavior-based, and does not utilize signatures at all. It is
    able to protect hosts from all types of attacks by defining what is
    considered good and bad. The base protections are predefined in the
    product, but can obviously be modified all you like.
     
    No single network device can ever provide 100% protection, regardless of
    what a vendor may have told you. They can strive to provide near-100%,
    but real protection must be applied in layers, with each successive
    layer enhancing the protection provided by the other layers. This is
    what our SAFE blueprint discusses.
     
    You mention stateful firewalling as a feature of an IPS, but I disagree
    with this assumption. Stateful inspection of traffic is certainly a
    feature, but not stateful firewalling, which implies all other features
    of a firewall product, like network address translation and VPN.
    Additionally, there is a big difference in the default policies deployed
    on an IPS versus a firewall. The default policy on an IPS is "Permit
    all traffic except that which is malicious or explicitly defined." The
    default policy on a firewall is "Permit only traffic which is defined,
    and deny all other traffic." Proof of this difference in default
    policies can be seen by simply looking at the perceived need for
    software/hardware failure protection on IPS products. Have you ever
    heard a customer say "Hey Mr. Vendor, I want to make sure that if my
    firewall fails, all traffic will pass unfiltered to the servers sitting
    behind it." However, this type of statement is common when they deploy
    IPS.
     
    For customers who desire IPS combined with stateful firewalling, we've
    introduced our ASA-5500-series appliances. With these products, you
    combine best-of-breed firewall and IPS products in an easy to use
    chassis. You have very granular control over which traffic is
    firewalled, and which traffic is also sent to the IPS. You are also
    able to choose whether the specified traffic is inspected inline or
    passively, and you can combine both methods for different types of
    traffic.
     
    Gary
     
     
     

    ________________________________

    From: Tom Hamlin [mailto:finacksyn@yahoo.co.uk]
    Sent: Wednesday, October 19, 2005 4:45 AM
    To: Gary Halleen (ghalleen); Tim Holman; Jonathan Gauntt;
    focus-ids@securityfocus.com
    Subject: RE: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor

    Since when has an inline IDS become an IPS, or am I missing something?
    IDS vendors are really confusing the market by using IPS terminology.
    An inline IDS does partially fulfil the definition of an IPS, by using
    signatures to protect against known exploits, but what about all the
    other stuff an IPS does, like:
     
    1. Anomaly detection / protocol validation
    2. DOS protection
    3. Stateful firewall
     
    An IPS is a xth generation firewall, and not a 2nd generation IDS. An
    IDS only solves part of the problem that a network IPS is trying to
    address.
    I know this is all marketing speak, but it's confusing the technical
    community here, and decent IPS products are being thrown into the same
    bin as inline-IDS 'IPSes' and being discarded as stillborn technology,
    when they're clearly not.
    My company suffered severe downtime having deployed an inline-IDS, that
    was touted to provide zero-day protection against the worm that got
    straight through it. The Security Manager lost his job for putting his
    complete faith in a market-leading IDS vendor who told him that their
    latest and greatest solution would defend against such things.
    We have since re-evaluated our security infrastructure, and put things
    in their correct places. The IDS is on the inside, in passive mode,
    whereas the IPS is outside the firewall, ensuring the entire network is
    protected.
    Although it's OK to put an IDS inline, don't expect it to offer 100%
    protection, and at least compliment the IDS with dedicated upstream IPS
    technology.
     
    Matthew
     
     

    "Gary Halleen (ghalleen)" <ghalleen@cisco.com> wrote:

            The IDS-4250, with 5.0 or later code on it, will function as
    either an
            IDS, or an IPS, or both.
            
            Multiple Cisco 4200-series sensors can be clustered through
    etherchannel
            load-balancing to scale throughput, as well as provide failure
            protection, if your needs change. This is available both in
    passive
            mode (IDS) and inline modes (IPS).
            
            Gary
            
            
            -----Original Message-----
            From: Tim Holman [mailto:tim_holman@hotmail.com]
            Sent: Thursday, October 13, 2005 4:32 AM
            To: Jonathan Gauntt; focus-ids@securityfocus.com
            Subject: Re: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor
            
            Hi Jonathan,
            
            Wouldn't you rather block bad traffic, rather than detect it?
            Most companies are moving away from IDS as a protection
    mechanism,
            because:
            
            1) It only detects, and doesn't effectively block intrusions
            2) Problems with false positives, as by using pattern matching
            signatures, there is always a chance that these patterns also
    appear in
            valid traffic
            3) Management overheads. An IDS can only be a reasonably
    effective
            prevention method if there is someone on hand 24/7 to monitor
    logs and
            take immediate action on intrusions. Even then , the intrusion
    has got
            in, as admins very rarely use the active blocking features of an
    IDS
            (namely sending RST packets to kill connections, or modifying
    upstream
            ACLs), as these are too likely to have an effect on valid
    traffic
            4) There is absolutely no protection for rate-based attacks
    (SYN, TCP,
            UDP
            floods)
            5) Without maintaining a L3/4 connection/state table, there is
    no way
            an IDS can be truly stateful. 100% statefulness means that
    everything
            from the initial SYN to the final RST/FIN packet of a connection
    is
            stored in a connection table. This requires the device to be
    INLINE,
            and operating at L3. This is the only way a protection device
    can
            provide effective defence against L3 attacks. An offline IDS
    cannot do
            this.
            
            I would recommend looking at IPS products instead, so something
    that you
            can postion inline and get immediate value from.
            If you feel the Cisco IDS is getting a little tired, then an IPS
    will
            also help take the load off it, by getting rid of Internet white
    noise,
            providing additional firewall filtering, and also defence
    against
            rate-based attacks.
            A true IPS will focus on defining what is GOOD traffic, and
    assuming all
            else is BAD (and dropping it). By doing this, zero-day attacks
    can be
            virtually be eliminated, as they all ultimately rely on abuse of
    a valid
            protocol in the hope of slipping past your protection mechanisms
    and
            onto your network.
            This works quite well in conjucntion with an IDS, that focuses
    on
            searching traffic for badness.
            Replacing like for like (IDS for IDS) is not going to give you
    much
            value, and even the market analysts are recommending against it.
            IDS isn't dead. Far off it, but use it for what it's good for -
            DETECTION and FORENSICS, and not as a device that can insure
    your
            network against rate-based and zero-day attacks.
            
            Regards,
            
            Tim
            
            
            
            ----- Original Message -----
            From: "Jonathan Gauntt"
            To:
            Sent: Wednesday, October 12, 2005 5:57 PM
            Subject: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor
            
            
    > Hi,
    >
    > We are currently running a Cisco IDS 4250 that monitors our
    internal
    > traffic. We essentially use this device for historical
    reporting
            because
    > we
    > are a medical oriented facility with at least 100 3rd party
            connections to
    > us besides the 8000 employees.
    >
    > I am considering upgrading the Cisco IDS 4250 to the XL to
    handle
            higher
    > throughput but have been evaluating the Sourcefire IS300 and
    their RNA
    > sensor.
    >
    > I have the ability to purchase the Sourcefire unit or upgrade
    the
            4250.
    >
    > Sourcefire claims that they are superior with state full IDS
            inspection
    > and
    > an overall better product.
    >
    > Does anyone have any thoughts on these two products? I have
    about
            $100k
    > in
    > my budget to spend.
    >
    > Thanks,
    >
    >
    > Jonathan
    >
    >
    >
    >
            
    ------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it
    > with real-world attacks from CORE IMPACT.
    > Go to
            
    http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    >
            
    ------------------------------------------------------------------------
    >
    >
            
            
    ------------------------------------------------------------------------
            Test Your IDS
            
            Is your IDS deployed correctly?
            Find out quickly and easily by testing it
            with real-world attacks from CORE IMPACT.
            Go to
    http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
            
            to learn more.
            
    ------------------------------------------------------------------------
            
            
    ------------------------------------------------------------------------
            Test Your IDS
            
            Is your IDS deployed correctly?
            Find out quickly and easily by testing it
            with real-world attacks from CORE IMPACT.
            Go to
    http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
            to learn more.
            
    ------------------------------------------------------------------------
            
            

    ________________________________

    How much mail storage do you get for free? Yahoo! Mail gives you 1GB!
    Get Yahoo! Mail
    <http://us.rd.yahoo.com/mail/uk/taglines/hotmail_com/storage/*http://uk.
    mail.yahoo.com>

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------


  • Next message: Gary Halleen (ghalleen): "RE: location of an IPS"

    Relevant Pages

    • Re: IPS in the Enterprise UTM Firewall testing results
      ... I configured them as I believe a sane IPS manager would do. ... I am fairly opposed to putting an IDS inside your firewall---I think that this is asking for trouble performance-wise---but certainly there are very different catch rates when you configure the devices as an IDS. ... My conclusion is that GENERALLY you will not want to use a UTM firewall as an IDS, because of performance and because of the specific design. ... I think you're stating the obvious here, but I will point out one important issue: we specifically asked for 1Gbit boxes, and not faster than that. ...
      (Focus-IDS)
    • RE: Recent Gartner IDS/IPS report
      ... > resources to properly analyze security reports, ... > replace the IDS products. ... since these same vendors compete with your ... Basing IPS entirely on IDS and making the offspring a single product is ...
      (Focus-IDS)
    • RE: Recent Gartner IDS/IPS report
      ... despite what Gartner states) there is no single solution for IDS or IPS (or a ... We use a suite of tools that includes both and a firewall. ... system and it continued to stay compromised because the firewall or an IPS did ... Point being...everyone knows how to have good physical security, ...
      (Focus-IDS)
    • Re: Changes in IDS Companies?
      ... Well...Netscreen didn't *build* a NIPS, ... while everyone gets all excited about the possibility of inline IDS, ... IPS is not a performance bottleneck. ... Firewall & IDS vendors ally/acquire partners on the other side, ...
      (Focus-IDS)
    • RE: IDS alerts / second - Correlation - Virtualization
      ... combinations that operating systems and applications respond improperly ... IDS alerts / second - Correlation - Virtualization ... any IPS has to do IDS first. ...
      (Focus-IDS)