RE: IDS vs. IPS deployment feedback

See my comments prefixed with >>>>>


Thanks,
Mike

-----Original Message-----
From: watsont [mailto:thomas.watson.b@xxxxxxxxx]
Sent: March 16, 2006 2:56 PM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: IDS vs. IPS deployment feedback


Here is my quandary:

In recent years there has been an increasing buzz that Intrusion
Detection is dead. We hear that the next, pardon the OLD cliche, 'killer
app' for security professionals to deploy in their network for
identifying and protecting against malicious attacks is IPS. I am by no
means an Intrusion Prevention bigot but I have a philosophical issue
with deploying a device that is fairly immature, in my mind, in line
with production traffic that, should it be interrupted for ANY reason,
might impact the businesses we work so hard to protect. I struggle with
putting my name on the list of phone numbers to call when the device I
deployed to protect the environment actually DOS's our customers (both
internal and external).

the detection part of the IPSes is a mature technology, it has its
roots into IDS products which have been on the market for some time. As
you correctly pointed out, what's lacking in the majority of the IPS-es
is the "network grade" quality required by an in-line device. Look at
the IPS sensor platforms. How many of them are Dell Intel based? Would
you put a Dell inline on your network core? I would not. Then, most
IPS-es lack network type features. For example, how easy is to find out,
directly in the IPS management server, at a glance, if a port is down or
up? Rather than hiring more DB developers, IPS vendors should hire more
network engineers. [Note: I am neither a network engineer, nor a DB
developer ;) ]


I fully understand the value in preventing traffic that we may know to
be malicious such as worms and the like but there are other mature
protection methods already available in products that are widely
deployed (modern
firewalls) which can proactively handle these types of issues. I think
we would be better suited to look at what firewalls can't do well yet
such as web application level protection but that is another topic
should you like to broach I'd be happy to discuss.......

Let's leave the firewalls to do what they are meant to do: access
control. Just a simple example: Firewalls should fail closed, correct?
How should an IPS fail? Unless your IPS defends highly critical networks
you would like to have the IPS fail open? But how can you fail open and
fail closed in the same time, on the same machine? Now you really will
DOS yourself if you fail close - and you have to fail close on such a
"combined" platform.


My second issue with IPS, at least the current incarnation of them, is
that they do a mediocre job of handling false positives which would lead
back to my initial concern of blocking valid traffic. Lets face it,
though they are getting better, most IPS vendors are providing a
solution that grew out of IDS type devices. It took several years and
much pain to develop, deploy and reliably tune devices that are able to
keep up with an ever increasing number of attacks and growth in
bandwidth. In my opinion IDS is by no means dead.

It's the IPS/IDS analyst who does the mediocre job here! Not the
IPS. The same thing with a firewall: a firewall is as good as its
inspection policy. The thing is that it is far more easier to figure out
a firewall policy than an IPS policy. It's a breeze for a network
engineer to set up a good firewall policy.
How many companies out there have their IDS installed just "to
comply"? How many have the in-house required expertise to get the
maximum out the information from an IDS/IPS? Some figured out that if
they do not have these skills in house maybe it's better to outsource
the IDS/IPS. Now, the problem is that these vendors will never be able
to figure out what you have on your network and they will end up
protecting your network only against generic risks.

IPS and IDS are not mutually exclusives.
.....


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: How to choose an IDS/FW MSS provider
    ... If you look past the appliance label you will find ... Any true IPS must be stateful and therefore cannot just simply forward ... A managed service from anyone when used as an IDS is great because you ... in any network. ...
    (Focus-IDS)
  • RE: Changes in IDS Companies?
    ... The IPS systems MUST be placed at the host. ... Subject: Changes in IDS Companies? ... >"intrusion prevention" which imo is 90% marketing, ... >organizations would trust an IDS alert to enforce network policy. ...
    (Focus-IDS)
  • RE: [fw-wiz] Sources for Extranet Designs?
    ... IDS is all goodness, but what to do with the output? ... that one also has to tweak the signatures there for optimal use on your network. ... IPS is fine, but it seems to me to simply be an evolution of the firewall as ... > for your business partner and let the traffic (for the minimum subset ...
    (Firewall-Wizards)
  • Re: Is IDS/IPS worthless?
    ... IPS seems to mean "firewalls with IDS built-in", but in this definition, I ... existing security architecture. ... >insight to what is happening on a network and provides critical data to ...
    (Focus-IDS)
  • Re: IPS, alternative solutions
    ... I have the impression that some of the alternatives to IPS you mentioned ... Parts of the market have matured (network ... implementations (in-line protocol decoding and blocking/active response ... an often deployed technology at this time is ...
    (Focus-IDS)
Quantcast