Most of the fetaures are common across IDS, Inline-IDS and Inline-IPS.
For example, signature have to be robust and accurate in all three cases.
But, one should be very careful in blocking the traffic. Unless, if it is known
that signature does not have any false positive, it is not good to block the
traffic based on pattern detection. IPS products give provision for
block on per signature rule basis, but that needs to be set carefully. IPS
does not mean that, it implictely blocks the traffic upon detection.
What one should look for is, application decoding capability, to reduce
flase positives. This will give confidence to block the traffic based on
patterns.
I feel that, Inline (IDS or IPS) products give quite a bit of advantage
in rate-limiting the traffic. Upon traffic anomaly, Inline products have better
control on successfully reducing the traffic and due to that genuine traffic
can be passed, even where there is flood of sessions/traffic.
For example, IPS products can classifiy the traffic to different protocols/
applications (such as P2P Kazaa, eDonkey, BitTorrent, AOL IM, MSN IM,
YAHOO IM and all othe standard protocols) based on ports and/or signatures
and one can apply limit the traffic or sessions for given applications. One might
say, it is firewall feature, but agian IPS products can also do this, due to their
inline capability. In future, I see these both technologies merging anyway...
Inline products, in my view should also work transparently. It should not
appear as a router in the network, rather it should appear as a bridge/switch in
the network. Network administrators should not change their IP addressing range.
It should be plug and play. One should look for this capability in Inline IPS products.
Ofcourse, there can be some deployment where this appearing as router are needed.
One should look for IPS products which has both the capabilities.
Session data logging (as discussed in mailing list) is also quite imporatant
for analysis.
One technique which we follow is to remove the any logged data (at the end of
session), if there is no
exploit found during the data transfer. Even this, can generate significant
amount of
data and we provide different control on amount of data it can log on per
session and
the type of sessions for which data to be logged (on 5 tuple basis) etc..
I also feel that one should look for flexibility in the Management/Administration in IPS products.
Some of these features are actually common whether it is IDS or IPS.
- Does it give flexibility to create own rules/signatures? In good number of times, the general
signature provided may not good enough based on their deployment environment. Some times,
the administrator might would like to change the signature rule itself. One should look for this
kind of capabilities.
- Does it give complete view of traffic flowing through the IPS? If IPS is placed in
edge of a network, Administrator should be able to look at the traffic patterns.
- In IPS, inbound and outbound traffic characterstics can be different and look for IPS which
provide differnet signature rule bases for inbound and outbound. If IPS is used in many networks
scenario (Virtualization), then ensure that IPS provided Virtualization.
- Look for IDS/IPS, which can detect (or provide configuration) standard applications running on non-standard ports and
then applying application specific signatures on traffic on non-standard ports.
Srini
Intoto Inc.
www.intoto.com
----- Original Message -----
From: "PS R" <secureyourself@gmail.com>
To: <focus-ids@securityfocus.com>
Sent: Friday, September 10, 2004 7:18 AM
Subject: Wishlist for IPS Products
I have seen a lot of discussion about the differences between IDS,
IPS, and firewalls and the potential for convergence, but I do not
recall a discussion on the primary features that an IPS should have
out of the box.
I am thinking of:
- Flow Control - limitations on flooding, unused connections, etc...
- Robust, ACURATE signature base
- Packet capture - no debate on how much before, as that has been covered
- Pre-deployment network analysis tools to accelerate deployment
- Anomaly detection
- Alert export compatibility with 3rd party event management solutions
It seems like discussions of this type can only serve to improve the
products on the market (or coming to the market), since we know at
least some of the vendors are monitoring this list.
Jack
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
