IDS vs. IPS deployment feedback

Here is my quandary:

In recent years there has been an increasing buzz that Intrusion Detection is dead. We hear that the next, pardon the OLD cliche, 'killer app' for security professionals to deploy in their network for identifying and protecting against malicious attacks is IPS. I am by no means an Intrusion Prevention bigot but I have a philosophical issue with deploying a device that is fairly immature, in my mind, in line with production traffic that, should it be interrupted for ANY reason, might impact the businesses we work so hard to protect. I struggle with putting my name on the list of phone numbers to call when the device I deployed to protect the environment actually DOS's our customers (both internal and external).

I fully understand the value in preventing traffic that we may know to be malicious such as worms and the like but there are other mature protection methods already available in products that are widely deployed (modern firewalls) which can proactively handle these types of issues. I think we would be better suited to look at what firewalls can't do well yet such as web application level protection but that is another topic should you like to broach I'd be happy to discuss.......

My second issue with IPS, at least the current incarnation of them, is that they do a mediocre job of handling false positives which would lead back to my initial concern of blocking valid traffic. Lets face it, though they are getting better, most IPS vendors are providing a solution that grew out of IDS type devices. It took several years and much pain to develop, deploy and reliably tune devices that are able to keep up with an ever increasing number of attacks and growth in bandwidth. In my opinion IDS is by no means dead.

Should we march toward ACTIVE protection measures rather than REACTIVE ones to keep our networks safe? Absolutely! Are there products out today than can do this? Sure, but I do not have a level of comfort yet with any of them. Much of the rhetoric and push for deploying IPS devices that are available seems to come from Marketing and Sales people, not Security professionals. Which is why I am reaching out to you, your experiences and your thoughts surrounding this issue.

I will not be publishing this information or sharing it otherwise, it is purely personal and professional. I may be completely off base in my reasoning which I can accept and am willing to be convinced otherwise.

Thanks in advance for your time!

I look forward to hearing from you.

Tom - CISM, CISSP

Thomas,

   Totally agree with you Intrusion Detection is not dead.  

   Have an IPS, but currently using it in the IDS mode, because I can
not afford a DOS of my own making.  In some environments ('static') an
IPS is a great benefit, but if you have a network that changes then it
is not a good choice.

   In a 'static' environment, you still have to run it in an IDS mode to
see what your false positives are and make corrections before turning on
the IPS.  Even then there will be cases were the IPS may not stop an
intrusion, so without an IDS "backing up" the IDS (false negatives are a
greater threat if you can identify all your false positives).

   So no - Intrusion Detection is not dead and probably will not be for
a long time.  

STEVEN T. CAREY
LCIRT-R
(256) 876-5811
Cell (256) 759-9767


-----Original Message-----
From: watsont [mailto:thomas.watson.b@...]
Sent: Thursday, March 16, 2006 1:56 PM
To: focus-ids@...
Subject: IDS vs. IPS deployment feedback


Here is my quandary:

In recent years there has been an increasing buzz that Intrusion
Detection is dead. We hear that the next, pardon the OLD cliche, 'killer
app' for security professionals to deploy in their network for
identifying and protecting against malicious attacks is IPS. I am by no
means an Intrusion Prevention bigot but I have a philosophical issue
with deploying a device that is fairly immature, in my mind, in line
with production traffic that, should it be interrupted for ANY reason,
might impact the businesses we work so hard to protect. I struggle with
putting my name on the list of phone numbers to call when the device I
deployed to protect the environment actually DOS's our customers (both
internal and external).

I fully understand the value in preventing traffic that we may know to
be malicious such as worms and the like but there are other mature
protection methods already available in products that are widely
deployed (modern
firewalls) which can proactively handle these types of issues. I think
we would be better suited to look at what firewalls can't do well yet
such as web application level protection but that is another topic
should you like to broach I'd be happy to discuss.......

My second issue with IPS, at least the current incarnation of them, is
that they do a mediocre job of handling false positives which would lead
back to my initial concern of blocking valid traffic. Lets face it,
though they are getting better, most IPS vendors are providing a
solution that grew out of IDS type devices. It took several years and
much pain to develop, deploy and reliably tune devices that are able to
keep up with an ever increasing number of attacks and growth in
bandwidth. In my opinion IDS is by no means dead.

Should we march toward ACTIVE protection measures rather than REACTIVE
ones to keep our networks safe? Absolutely! Are there products out today
than can do this? Sure, but I do not have a level of comfort yet with
any of them.
Much of the rhetoric and push for deploying IPS devices that are
available seems to come from Marketing and Sales people, not Security
professionals.
Which is why I am reaching out to you, your experiences and your
thoughts surrounding this issue.

I will not be publishing this information or sharing it otherwise, it is
purely personal and professional. I may be completely off base in my
reasoning which I can accept and am willing to be convinced otherwise.

Thanks in advance for your time!

I look forward to hearing from you.

Tom - CISM, CISSP
--
View this message in context:
http://www.nabble.com/IDS-vs.-IPS-deployment-feedback-t1293748.html#a344
3521
Sent from the IDS (Intrusion Detection System) forum at Nabble.com.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Hello,

On Thu, Mar 16, 2006 at 11:55:42AM -0800, watsont wrote:
>
> Here is my quandary:
>
> My second issue with IPS, at least the current incarnation of them, is that
> they do a mediocre job of handling false positives which would lead back to
> my initial concern of blocking valid traffic. Lets face it, though they are

  I ran into problems likes these (hopefully in
  testing mode) so i agree, the "false positives"'s problem may be
  considered carefully.
 
> number of attacks and growth in bandwidth. In my opinion IDS is by no means
> dead.

  You're right, in fact and the following sentence show this, we've two
  solutions : running a "REACTIVE" or "ACTIVE" mode, and even if both of them give problems
  we've to choice.
   
> Should we march toward ACTIVE protection measures rather than REACTIVE ones
> to keep our networks safe? Absolutely! Are there products out today than can
> do this? Sure, but I do not have a level of comfort yet with any of them.

  With security in mind, definitively "ACTIVE" protection is better but with
  care,  we can't afford the risk to do something likes "DOS" to ourself.
  On the other side, "REACTIVE" may be considered less risky but we
  can miss something. Not so easy to choice...
 
  Best regards.
 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

I to a degree tend to sympathise with many CSO/CTO's in our industry today. They have the tough job of managing complex information systems added to that the responsibility of ensuring that these systems run seamlessly and without hinderance....however,

If we are to get ahead and stay ahead of the attack community we need to ensure that the most appropriate tools are employed to ensure every available asset is able to be utilised if and when required. So, although the IPS technologies available today are an evolution of IDS which in itself is understandable, the maturity of the technology is IMHO irrelevant. What is important is that the technologists who deploy, manage and support these systems are sufficiently educated to do so, and understand the environment that the information systems operate in so that when the inevitable attack occurs they are able too mitigate it

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

 
> Much of the rhetoric and push for deploying IPS devices that
> are available seems to come from Marketing and Sales people,
> not Security professionals. Which is why I am reaching out to
> you, your experiences and your thoughts surrounding this issue.

Well, I am a security professional, and I am very much sold on IPS. I
can answer some of your issues:

1. Immature Technology

IPS is far from immature. The first in-line IPS was BlackICE Guard. I
installed one of the first in late 1999. And all of the decent IPSs on
the market have roots in IDS, which is many years older. IPS is at least
7 years old and at best 10 or more. In technology terms, that's mature.

Consider anti-spam technologies. They basically did not exist in 1999.
Now, everybody has some kind of spam control. Is anti-spam a mature
technology?  

2. False Positives

This is ultimately an issue of tuning. If you think you're going to drop
an IPS inline, slap some rules on it, and never touch it again - you
shouldn't be getting an IPS. A well tuned IPS can be pretty lean on
false positives. And frankly, what is worse - a few POSSIBLE disruptions
due to false positives, or getting hacked and 0wn3d and losing your
business.

Moreover, IPS can dramatically reduce the number of events that require
incident response. With an IPS, when you see a really nasty alert, you
can take note and move along, because you know the IPS blocked it. This
allows you the freedom to analyze more subtle attacks or problems.

Also, I think the DOS angle is WAY overhyped. Its frankly a weak excuse.
If you consider that almost every switch and router on the market has
plenty of DOS weaknesses, then an IPS really isn't much different. The
DOS fears also stem from the idea that somebody could feed your IPS
internal addresses and hence block normal traffic. Even with the most
rudimentary router ACLs you can ensure this never happens.

3. Firewalls

Firewalls are not IPSs. All the firewall vendors, especially the big
ones, are clamoring all over themselves to repaint themselves as
"security appliances." Even application firewalls, of which there are
few, rarely are good at true IPS functions.

The fact is, firewalls are good at one thing - access control. Detailed
protocol analysis and filtering is not what most firewalls were built to
do. And any firewall that has added this feature, has done so merely to
be competitive in the market. I cannot think of any firewalls that were
built from the ground up to be both a good firewall and a good IPS.

Firewalls, should be left to do what firewalls do best - access control.
Leave the packet inspection to a dedicated system.

IDS Dead?

IDS may not be dead, but its value is diminishing. While there is a
place for IDS in some environments, I fail to see why anybody would get
a passive defense when active defenses can be deployed to function in a
passive manner. An active system that is deployed passively at least
gives you the option to switch to active mode later.

Moreover, the value of an IDS diminishes even more if you lack in-house
analytical capabilities. The unexamined IDS is not worth having, to
paraphrase good old Socrates.  


These are, of course, my opinions. And naturally, I have a vested
interest in people buying more IPSs - because I sell them.

_____________________________________
Andrew Plato, CISSP, CISM
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY

Your Expert Partner for Security & Networking

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________

GPG public key available at: http://www.anitian.com/corp/keys.htm 




-----Original Message-----
From: watsont [mailto:thomas.watson.b@...]
Sent: Thursday, March 16, 2006 11:56 AM
To: focus-ids@...
Subject: IDS vs. IPS deployment feedback

_________________________________________________
NOTICE:
This email may contain confidential information,
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply
to the message and inform the sender of the error
and delete the email and any attachments from
your computer.
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

>>1. Immature Technology
>>
>>IPS is far from immature. (snip)

Its's more to technology maturity than just time.
It must have been in used as well :)
And it hasn't really been used afaik on a larger scale for the last two years or so.

>>2. False Positives
>>This is ultimately an issue of tuning.  (snip)
As far as I am concerned there isn't much difference between IDS and IPS in the number of false positives.

>>If you think you're going to drop an IPS inline, >>slap some rules on it, and never touch it again >>- you shouldn't be getting an IPS. (snip)

Or an IDS for that matter...

>>And frankly, what is worse - a few POSSIBLE >>disruptions due to false positives, or getting >>hacked and 0wn3d and losing your business.

I for one worry more about downtime than getting hacked. If I am are well organised, patched and secured in depth, the possibility for getting
hacked is very low. A 'leet hacker would probably operate under a IPS/IDS detectonrange anyway.


>>With an IPS, when you see a really nasty alert, >>you can take note and move along, because you >>know the IPS blocked it.

BEFORE you add an rule to your IPS/IDS you patch for the vulnerability it detects and /or make sure
it doesn't pass your firewall. Then you don't need any IPS to block it.

>>Also, I think the DOS angle is WAY overhyped. >>Its frankly a weak excuse.

By adding IPS, you open up for DoS attacks that was not there before. Why increase risk when you really do not have to ? Imho it is IPS that is WAY overhyped :)


>>IDS Dead?

>>IDS may not be dead, but its value is >>diminishing.

IDS may be passive but an security analyst who knows his job is not. In fact by placing a IPS in your network you might even introduce false sense of security into your organisation.

"Oh, I thought the IPS was supposed to blocked that"


>>The unexamined IDS is not worth having, to >>paraphrase good old Socrates.

But the unexamined IPS is ???!


>>These are, of course, my opinions. And >>naturally, I have a vested interest in people >>buying more IPSs - because I sell them.

I rest my case :)

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Andrew Plato wrote:

> IPS is far from immature. The first in-line IPS was BlackICE Guard. I
> installed one of the first in late 1999.

The first IDS paper dates in the 80s. Still, I would not say IDS, or
IPS, are a mature technology. It's not a point of being old - it's a
point of being EFFECTIVE.

> A well tuned IPS can be pretty lean on
> false positives.

Standard considerations apply, as for IDS

> a few POSSIBLE disruptions
> due to false positives, or getting hacked and 0wn3d and losing your
> business.

You are implying that the likelyhood of the IPS stopping a nasty attack
are way above the likelyhood of false positives. This is exactly what
you're trying to prove ;)

> Firewalls are not IPSs.

I see less and less difference among the two.

> IDS may not be dead, but its value is diminishing.

IPS is just the reactive sort of IDS, so the debate on IDS vs. IPS is
not very interesting...

> Moreover, the value of an IDS diminishes even more if you lack in-house
> analytical capabilities.

If you don't have those capabilities, how are you going to setup an IPS,
exactly ?

> These are, of course, my opinions. And naturally, I have a vested
> interest in people buying more IPSs - because I sell them.

I don't :)

Stefano


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

See my comments prefixed with >>>>>


Thanks,
Mike

-----Original Message-----
From: watsont [mailto:thomas.watson.b@...]
Sent: March 16, 2006 2:56 PM
To: focus-ids@...
Subject: IDS vs. IPS deployment feedback


Here is my quandary:

In recent years there has been an increasing buzz that Intrusion
Detection is dead. We hear that the next, pardon the OLD cliche, 'killer
app' for security professionals to deploy in their network for
identifying and protecting against malicious attacks is IPS. I am by no
means an Intrusion Prevention bigot but I have a philosophical issue
with deploying a device that is fairly immature, in my mind, in line
with production traffic that, should it be interrupted for ANY reason,
might impact the businesses we work so hard to protect. I struggle with
putting my name on the list of phone numbers to call when the device I
deployed to protect the environment actually DOS's our customers (both
internal and external).

>>> the detection part of the IPSes is a mature technology, it has its
roots into IDS products which have been on the market for some time. As
you correctly pointed out, what's lacking in the majority of the IPS-es
is the "network grade" quality required by an in-line device. Look at
the IPS sensor platforms. How many of them are Dell Intel based? Would
you put a Dell inline on  your network core?  I would not. Then, most
IPS-es lack network type features. For example, how easy is to find out,
directly in the IPS management server, at a glance, if a port is down or
up? Rather than hiring more DB developers, IPS vendors should hire more
network engineers. [Note: I am neither a network engineer, nor a DB
developer ;) ]


I fully understand the value in preventing traffic that we may know to
be malicious such as worms and the like but there are other mature
protection methods already available in products that are widely
deployed (modern
firewalls) which can proactively handle these types of issues. I think
we would be better suited to look at what firewalls can't do well yet
such as web application level protection but that is another topic
should you like to broach I'd be happy to discuss.......

>>>> Let's leave the firewalls to do what they are meant to do: access
control. Just a simple example: Firewalls should fail closed, correct?
How should an IPS fail? Unless your IPS defends highly critical networks
you would like to have the IPS fail open? But how can you fail open and
fail closed in the same time, on the same machine? Now you really will
DOS yourself if you fail close - and you have to fail close on such a
"combined" platform.


My second issue with IPS, at least the current incarnation of them, is
that they do a mediocre job of handling false positives which would lead
back to my initial concern of blocking valid traffic. Lets face it,
though they are getting better, most IPS vendors are providing a
solution that grew out of IDS type devices. It took several years and
much pain to develop, deploy and reliably tune devices that are able to
keep up with an ever increasing number of attacks and growth in
bandwidth. In my opinion IDS is by no means dead.

>>> It's the IPS/IDS analyst who does the mediocre job here! Not the
IPS. The same thing with a firewall: a firewall is as good as its
inspection policy. The thing is that it is far more easier to figure out
a firewall policy than an IPS policy. It's a breeze for a network
engineer to set up a good firewall policy.  
>>>>How many companies out there have their IDS installed just "to
comply"? How many have the in-house required expertise to get the
maximum out the information from an IDS/IPS?  Some figured out that if
they do not have these skills in house maybe it's better to outsource
the IDS/IPS. Now, the problem is that these vendors will never be able
to figure out what you have on your network and they will end up
protecting your network only against generic risks.
 
>>> IPS and IDS are not mutually exclusives.
.....


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

 
> I for one worry more about downtime than getting hacked.
> If I am are well organised, patched and secured in depth,
> the possibility for getting hacked is very low. A 'leet
> hacker would probably operate under a IPS/IDS
> detectonrange anyway.

Hacking is only one aspect. IPS does a lot more that stop hackers. It
also stops internal people from doing things they shouldn't. It also can
spot poorly coded applications, misconfigurations, abuse, theft,
information leakage, viruses, worms, spyware, P2P, chat, rootkits...and
many other things. A well tuned IPS controls more than just exploits. It
can keep unwanted protocols (IRC, NNTP, etc.) out of your network. And
before you say "well a firewall can do that." No it can't. If you run
IRC on port 80 it can slice through most firewalls on the market.  

I have a diagram I use in a presentation on the Myths of IPS. You can
see it here: http://www.anitian.com/corp/papers/Library/IPS_myths.pdf
It's the Risk Reduction Bang for the Buck chart. It compares IPS to
other common security/network technologies such as AV, content
filtering, firewalls and packet shapers. A well tuned, well managed IPS
can provide more services and capabilities in one unit than all those
other technologies combined. As I tell people - firewalls and AV are
important and should never be overlooked. But once those protections are
in place, IPS offers the most bang for the buck in security
technologies.

Also - you cannot patch your way to security. Patching merely plugs the
holes you know about. There are, at any given time, hundreds if not
thousands of holes you don't know about. Good IPS manufacturers are
deploying protections before exploits hit the public.


> BEFORE you add an rule to your IPS/IDS you patch for
> the vulnerability it detects and /or make sure it
> doesn't pass your firewall. Then you don't need any
> IPS to block it.

How do you know your firewall is blocking it? How do you know your
servers aren't already infected? Are you willing to allow a system to
get infected, detect that infection hours if not weeks later when you
analyze the firewall logs (assuming you do that) and then fix it.
After-the-fact detections allow for infections and problems to happen
and get corrected later. Basically, that's like saying "I don't care if
the criminals steal my money, I can detect them stealing it and then go
back a month later and stop them from doing it again."

Without proactive defenses and detection, you could have serious flaws
in your firewall rules or server configurations for months and never
even know about it. As I like to say, a good IPS can be a checkpoint on
your CheckPoint.

>>Also, I think the DOS angle is WAY overhyped. >>Its frankly a weak
excuse.

> By adding IPS, you open up for DoS attacks that
> was not there before. Why increase risk when you
> really do not have to ? Imho it is IPS that is
> WAY overhyped :)

This is like saying, "by buying a car, you open yourself up to an auto
accident." Well, sure. There is risk in everything. Its absurd to think
that just because something has risk, its useless.

Sure, there is a DOS possibility. But, you have that possibility with
ANY network equipment you install. A new server, router, switch or
anything has the possibility to open you up to a DOS attack.

Frankly, it's a bigger risk to have a network that isn't being monitored
and protected. The "possibility" for an DoS attack is minor if you
consider the benefits. Moreover, good IPSs actually PREVENT DoS attacks.


Anybody who runs a decent sized network (at least 10 or more servers)
should have some type of active, dynamic protection. The benefits of a
well managed and tuned IPS far outweigh the potential problems.

_____________________________________
Andrew Plato, CISSP, CISM
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY

Your Expert Partner for Security & Networking

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________

GPG public key available at: http://www.anitian.com/corp/keys.htm 
_________________________________________________
NOTICE:
This email may contain confidential information,
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply
to the message and inform the sender of the error
and delete the email and any attachments from
your computer.
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

On 28/03/06 08:46 -0800, Andrew Plato wrote: If by firewall, you mean packet filter, then you are correct.
If by firewall, you mean a proxy which validates protocols and is in
default deny mode, then you are just wrong.

If I don't have a proxy for it, I don't let the traffic through works
just fine.

An IPS looks at stuff on the wire, decides what is bad, and blocks it.
A real firewall looks at stuff on the wire, decides what is good, and
allows it. A real firewall hooks into everything (servers, network
equipment, desktops...).

Once you have a firewall in place, you need a system which analyses logs
and traffic which gets through your firewall.

>
> Also - you cannot patch your way to security. Patching merely plugs the
> holes you know about. There are, at any given time, hundreds if not
> thousands of holes you don't know about. Good IPS manufacturers are
> deploying protections before exploits hit the public.
>
Which is why you need to run secure code in the first place. Bandaids
are not a panacea to vulnerable code.

Really, it would help to compare IPSes with proxies instead of known
broken systems.

Devdas Bhagat

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

The title of the discussion is IDS vs. IPS deployment feedback.
Both IDS and IPS are not stronger nor weaker than the rules that controls them.
As far as I know you could run the same type of rules (signature and/or anomali based)
on an IDS as on an IPS. Thus an IDS could detect any network or host activity as well as an IPS could.

The main difference is in what you do with the information. I rather have an experienced analyst implementing the security policy rather than a machine. Most of the IDS has implemented ways to stop traffic through the firewall.
AFAIK it hasn't been much used because it opens up a considerable DoS vulnerablility. If I know
what rules shut down connections, I can craft packets that shuts down valid connections.

If installed correctly, an IDS is an network/host recording device that is very resistant to evidence manipulation. More so at least than an IPS that must be installed inline.

Firewalls and IPS has the same characteristics in that if either one stops working, traffic goes down as well. So by installing
an IPS you have two devices that can stop your connection. By using an IDS you only have one device (the firewall) that can
shut down your network.

>This is like saying, "by buying a car, you open >yourself up to an auto
>accident." Well, sure. There is risk in >everything. Its absurd to think
>that just because something has risk, its >useless.

I would rather buy a cheap car that I can steer myself than trusting an expensive car
running on autopilot :)

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

On Wed, Mar 29, 2006 at 06:50:57PM +0530, Devdas Bhagat wrote:

  Hello All,
 
  I agree with both of you.
  Running a network without both passive and dynamic protections makes no sense.
  After all, the so called "defense in depth" concept is well known.
 
  The main problem (i see) with both IPS/IDS is the tuning, running the correct "up
  to date" rules is mandatory, we rely on them.
  But we may (too) add another layer, something likes "NBAD" solutions,
  detecting abnormal traffic may be worth. Imagine a spyware running some sort
  of tunneling over https. How both IDS/IPS will detect this one ? is is
  possible ?
  I think we may (speaking at the wire level) use a good mix with all the
  solutions we saw.
 
  Best regards.
 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

> If by firewall, you mean a proxy which validates protocols
> and is in default deny mode, then you are just wrong.

> If I don't have a proxy for it, I don't let the traffic through works
just fine.

> An IPS looks at stuff on the wire, decides what is bad, and blocks it.
> A real firewall looks at stuff on the wire, decides what is good,
> and allows it. A real firewall hooks into everything (servers,
> network equipment, desktops...).

Proxy firewalls make up a small (and shrinking) percentage of the market
of firewalls. And having worked with over 500 different companies, my
experience is that proxy-based firewalls are rarely deployed in the
manner you describe. The default deny from unknown or unallowed
protocols is almost ALWAYS turned off because it breaks some important
businesses system that was poorly coded. Furthermore, a proxy validating
protocols still cannot stop a lot of exploits. Plenty of exploits live
quite comfortably inside the RFC-specs for a protocol. And in this case,
your proxy-firewall would do nothing to stop them.

Most firewalls have no insight into application-layer content. And most
exploits are application-layer exploits. This isn't just some insane
idea, it's a fact. You can ignore this and tell yourself 10000 times you
don't need no stinkin' IPS, but the cold hard stiff fact is: firewalls
are not sufficient protection for most organizations.

> Once you have a firewall in place, you need a system which
> analyses logs and traffic which gets through your firewall.

Which is why you sandwich your firewall with a good IPS, so you can see
what gets through and block it - if necessary.

_____________________________________
Andrew Plato, CISSP, CISM
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY

Your Expert Partner for Security & Networking

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________

GPG public key available at: http://www.anitian.com/corp/keys.htm 
_________________________________________________
NOTICE:
This email may contain confidential information,
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply
to the message and inform the sender of the error
and delete the email and any attachments from
your computer.
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

<snip>
Firewalls and IPS has the same characteristics in that if either one stops working, traffic goes down as well. So by installing
an IPS you have two devices that can stop your connection. By using an IDS you only have one device (the firewall) that can
shut down your network.
</snip>
The above statement isn't entirely correct.  Most modern IPS have a 'fail-over' feature that allows traffic to pass even if the IPS is overloaded or powered off.  If deployed correctly an IPS should not completely shut down a network.

One of the misconceptions some people have is to believe that deploying and maintaining an IPS requires less work than an IDS.  Both systems require knowledgable personnel to tune and customize the rule sets for their environment.  If you don't have the right people for an IDS you won't be able to separate legitimate threats from false-postivies.  If you don't have the right people for an IPS you will end up blocking legitimate traffic.  To me neither scenario is acceptable.

As to the post topic, I've used both IDS and IPS systems and found that a combination of both works well for my environment.  IPSes can work well in front of or behind your perimeter firewall.  They also work well to separate your DMZ from Corp networks.  IDS can work well inside your DMZ or Corp networks.
 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Hi..
my views are embedded in the text below,,,

At 09:58 PM 3/29/2006, xris375@... wrote: I think it is the place where an IPS differs from IDS+firewall combination.
Whenever an IDS detects some suspicious packets from a spoofed IP (sent by
some attacker), it directs firewall to form ACL to stop that connection.
this ACL is not dynamic (correct me, if I am wrong here). therefore, if the
same IP is used by some genuine users later on, the access is denied on the
basis of that ACL i.e. DoS. Now in case of IPS, the decision is taken on
per packet per connection. So, if some IP is used by some attacker to
launch some attack, it is blocked, where as the same IP is allowed if it is
used by some genuine user. There is no static ACLs in IPS. Of course, you
can always define rules on the basis of IP port combination, which work
just like ACLs.

But still I believe that even we are using IPS, we can't ignore IDS. the
reason is- we still don't have 100% confidence on attack detection. There
are false positives. As IPS is inline device (in most of the deployment),
wrong rules will affect the traffic. Therefore, an IDS should be running
with all the rules, whereas IPS should be loaded only with rules about
which we are high confident.
I shall be happy to know others views on this.

regards

Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
   Homepage: http://sanjay-rawat.tripod.com






------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

On 30/03/06 08:30 -0800, Andrew Plato wrote:
And that market-share is relevant how? Just because everyone thinks the
world is flat does not make it so.

> experience is that proxy-based firewalls are rarely deployed in the
> manner you describe. The default deny from unknown or unallowed
> protocols is almost ALWAYS turned off because it breaks some important

And that justifies an IPS?

> businesses system that was poorly coded. Furthermore, a proxy validating

Then the right thing to do is to fix the application.

> protocols still cannot stop a lot of exploits. Plenty of exploits live
> quite comfortably inside the RFC-specs for a protocol. And in this case,
> your proxy-firewall would do nothing to stop them.
>
Actually, the proxy would know what valid traffic to expect. Regular
expressions are nice if used properly. Plug in a reverse proxy in front
of your webserver and block queries with SQL(ish) content embedded.

If you think that you can run an Internet facing system without knowing
what is on the network, you are just plain wrong.

> Most firewalls have no insight into application-layer content. And most

ITYM packet filters and not firewalls.

> exploits are application-layer exploits. This isn't just some insane
> idea, it's a fact. You can ignore this and tell yourself 10000 times you
> don't need no stinkin' IPS, but the cold hard stiff fact is: firewalls
> are not sufficient protection for most organizations.

Other than networking stack issues, everything else is an application
layer exploit. Not having a service installed, not running it, staying
patched, using proxies correctly, using well coded software, watching
your logs.....

>
> > Once you have a firewall in place, you need a system which
> > analyses logs and traffic which gets through your firewall.
>
> Which is why you sandwich your firewall with a good IPS, so you can see
> what gets through and block it - if necessary.
>
IDS yes, IPS no. Oh, and good backups.

Devdas Bhagat

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

First let me preface my in line responses by saying that I develop an
open source IPS.

Regards,

Will

In comparison to IDS, IPS is a immature technology!  Not only that but
you have to deal with many things on a IPS that you do not have to
worry about on an IDS.  For heavens sake there are still commercial
IPS vendors out there (one of your business partners in fact) that
drop all out of sequence packets... Are you kidding me?!? Don't these
people understand the how the Internet works?  What end's up happening
is that marketing folks for companies pitch IPS as a silver bullet, an
end all be all security solution which is far from the truth.  Please
stop!  In the end you are only going to hurt the reputation of your
company and the reputation of what could be a great complimentary
security technology in an overall security strategy.  All of this
because the industry will have lost faith in the technology due to
your empty promises and marketing BS.

That is the completely wrong approach to take regarding a security
incident. What is your IPS  not seeing? What happened before the
event?  What happened afterwards? I agree with Richard Bejtlich on the
idea that prevention will eventually fail.  This is why you must
always analyze IDS/IPS alert data along side host logs, session, and
full content data.

> Also, I think the DOS angle is WAY overhyped. Its frankly a weak excuse.
> If you consider that almost every switch and router on the market has
> plenty of DOS weaknesses, then an IPS really isn't much different. The
> DOS fears also stem from the idea that somebody could feed your IPS
> internal addresses and hence block normal traffic. Even with the most
> rudimentary router ACLs you can ensure this never happens.

  Yeah but your network isn't going to stop working if a nic goes bad
in your IDS sensor.  Yeah, Yeah bypass switches, nics.. But what is
worse?  The fact that your CEO can't send e-mail, or the fact that
your web server just got owned due to an IIS exploit that your IPS was
protecting against.

Yeah Ummm an IPS is nothing more than a layer7 "application layer" firewall.

> IDS Dead?
>
> IDS may not be dead, but its value is diminishing. While there is a
> place for IDS in some environments, I fail to see why anybody would get
> a passive defense when active defenses can be deployed to function in a
> passive manner. An active system that is deployed passively at least
> gives you the option to switch to active mode later.

Really, what kind of visibility do you have on your IPS device located
at key choke points throughout your network?  And how much visibility
do you have on your IDS device?  IDS and IPS systems are complementary
security technologies, in my opinion you should never replace one for
another.

> Moreover, the value of an IDS diminishes even more if you lack in-house
> analytical capabilities. The unexamined IDS is not worth having, to
> paraphrase good old Socrates.

If you don't have the in-house analytical capabilities you shouldn't
have an IPS either. The unexamined IPS is a far worse scenario,
because the industry is selling people a false sense of security.  "I
drank what" to paraphrase good old Socrates.....

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

I have a serious question for you - have you ever been responsible for
an enterprise network and its security? I ask that because the threats
of dropped packets and the "nic that goes bad" all sound like FUD, not
experience. Dropped packets happen when people try to ram 1000mbps
through an IPS rated at 200Mbps. You have to size your IPS accordingly.
And the bad nic is easily solved with bypass units. Again - all this FUD
has many simple answers.  

Furthermore where is all this analytical power coming from? Most
enterprise networks are complex and have limited resources to handle
ANYTHING, let alone security. Most network admins and IT people spend
the majority of their time just keeping their organizations running.
They simply do not have the time or resources to baby an IDS and perform
intricate security analysis.

Now, you could complain that this is because companies underfund IT.
That's a whole different issue, however.

The reality is - IT departments need tools that can extend the expertise
of small staff. The more content that can be blocked and kept out of a
network, the less there is to deal with.

Its easy to sit in the TOWER OF ULTIMATE SECURITY PERFECTION where Proxy
Firewalls are ABSOLUTELY PERFECT and IDSs are manned by eternally
vigilant experts. Of the hundreds of companies I have seen (from small
to gigantic) none of them have the IT resources to analyze IDS logs all
day and none of them implement proxy firewalls correctly.

Now, maybe I am just seeing a totally skewed view of it all. I will
accept that. But I don't think so. I think security needs to be
transparent and easy as possible. And complex IDSs that generate 10000s
of alerts and stop nothing are quickly ignored when the staff gets busy.
And proxy firewalls are a small fraction of the market.

> Yeah Ummm an IPS is nothing more than a layer7 "application layer"
firewall.

This is just false. Firewalls and IPS assume much different things. A
firewall is a static set of rules that say what is allowed and what is
not allowed. That's it.

An IPS, on the other hand, lets everything through unless it does
something that it knows is bad.

Now, before you have a triple-heart attack and say "what about stuff it
doesn't know about." Well, that's the eternal squeal of the paranoid,
isn't it? How do you defend against the unknown?

The reality to that is - you can't.  Its impossible to defend 100%
against the unknown. You HAVE to make some type of educated guesses as
what is PROBABLE and defend against that which is MOST PROBABLE. And
that is exactly what and IPS does. It can look at a stream and say: "its
HIGHLY unlikely that this gargantuan binary package in the middle of a
ISAPI call is normal, so I am going to block it."

I realize a lot of people fly off into a rage when you mention IPS to
them. And yes, a lot of the vendors are pretty bad when they sell IPS as
a silver bullet that will solve everything. But, by the same token
spreading inaccurate FUD about IPS isn't any better than some commission
hungry sales person telling customers that IPSs will solve everything.
Both responses have hidden agendas.

When you clear away the hype and FUD, the value of an IPS obvious. You
can lower risk by knowing that set number of vulnerabilities are
blocked, thus reducing the number of incidents that need to be
investigated.

_____________________________________
Andrew Plato, CISSP
President / Principal Consultant
ANITIAN ENTERPRISE SECURITY

Your Expert Partner for Security & Networking

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________

PGP/GPG public key available at: http://www.anitian.com/corp/keys.htm 




_________________________________________________
NOTICE:
This email may contain confidential information,
and is for the sole use of the intended recipient.  
If you are not the intended recipient, please reply
to the message and inform the sender of the error
and delete the email and any attachments from
your computer.
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

> I have a serious question for you - have you ever been responsible for
> an enterprise network and its security?

I manage information security for an organization of 3500 employees ;-).

I ask that because the threats
> of dropped packets and the "nic that goes bad" all sound like FUD, not
> experience. Dropped packets happen when people try to ram 1000mbps
> through an IPS rated at 200Mbps. You have to size your IPS accordingly.
> And the bad nic is easily solved with bypass units. Again - all this FUD
> has many simple answers.

Really, I had a nic go bad in my IPS....  Your trying to say that
hardware never goes bad?  What happens  when your IPS fails open and
you don't have anything  passively monitoring your network to log a
successful exploitation that your IPS was previously stopping.

> Furthermore where is all this analytical power coming from? Most
> enterprise networks are complex and have limited resources to handle
> ANYTHING, let alone security.

Talk about FUD, if an organization isn't dedicating resources to
INFOSEC they need to start.  I don't think there is an excuse not to
in this day and age.  As a manager if I had to choose between
educating our INFOSEC staff our buying a shiny new IPS appliance, I
would choose the training every time. Having a good security analyst
that is able to apply his or her knowledge of INFOSEC best practices
to your enterprise is worth more than a hundred IPS devices.

 Most network admins and IT people spend
I think so....
Is your signature based IPS not based off of a static set of rules?!?

Want to talk about behavioral based IPS devices?
fine, Even layer3, layer4 firewalls have behavioral based anomaly detection

> An IPS, on the other hand, lets everything through unless it does
> something that it knows is bad.


Trusting the security of your network to a appliance/piece of software
etc.. without human interaction and analysis is just plain dumb.  Ever
seen War Games?

> I realize a lot of people fly off into a rage when you mention IPS to
> them. And yes, a lot of the vendors are pretty bad when they sell IPS as
> a silver bullet that will solve everything. But, by the same token
> spreading inaccurate FUD about IPS isn't any better than some commission

I guess we will agree to disagree, I feel my views are quite accurate.
 After spending a lot of my free time developing an IPS, evaluating
and using commercial host and network based IPS's in a production
enterprise environment qualifies me to speak the strength's and
weaknesses of the technology, but believe what you want.


> hungry sales person telling customers that IPSs will solve everything.
> Both responses have hidden agendas.
>
> When you clear away the hype and FUD, the value of an IPS obvious. You
> can lower risk by knowing that set number of vulnerabilities are
> blocked, thus reducing the number of incidents that need to be
> investigated.

Yeah uhhh did you read the beginning of my last e-mail I develop an
open source IPS.  I'm not saying that an IPS does not have value, I'm
saying it should be part of an overall security strategy, not your end
all solution for detecting and preventing intrusions, as  the view
that it gives even the most novice analyst is far too narrow.
------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

 
 I'm new to the list, but this flame war is a bit odd. This is an IDS list,
yet the usefulness of IDS is being dismissed?

 This debate could generate some interesting data. In snort, for example,
there are around 5,759 rules (3/31/2006, non-subscription rule base). I
don't have the metrics on hand of how many rules commercial IPS's deploy on
by default (and how many total can be turned on), but I'd guess it is around
500. I'd be interested to know those numbers, if someone has them. A vendor
comparison of rules could also be interesting.

 What I draw from this ratio is that some 90% of attacks can get through an
IPS solution. That doesn't invalidate the IPS anymore than the IPS
invalidates a firewall, but it does indicate to me that IDS plays an
essential role.

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Security Architect
Pima Community College