Appreciate the response, but I wanted to make it clear that I am not
advocating any of the suggestions listed, just providing a starting
point for the conversation. What I listed is a brief list of what
current vendors are providing.
I agree with you on the acurate detection base and current vendors,
but still feel this should be a requirement. 1200 signatures on an
IPS, of which you can enable only 200 confidently to block = 200 IPS
signatures and 1000 IDS signatures. I would rather discussed
vulnerabilities/exploits covered by the signatures and if you can
cover 10 vulnerabilities with a single signature that does not false
positive, then you are on to something.
Anomaly detection (e.g. new worm detection, detection of new buffer
overflows, etc...) should be a part of the product. This should not
replace a signature base, but be in addition to signature and ACL
parsing.
Tools are helpful, but typically are not a part of the IPS being
shipped. I do believe good baselining tools should be included to do
advanced network analysis/discovery.
Thanks
Jack
On Sun, 12 Sep 2004 00:29:51 -0400, David Maynor <dmaynor@gmail.com> wrote:
Yeah....I am gonna go ahead and disagree with you on some of these.
I have seen a lot of discussion about the differences between IDS,
IPS, and firewalls and the potential for convergence, but I do not
recall a discussion on the primary features that an IPS should have
out of the box.
I am thinking of:
- Flow Control - limitations on flooding, unused connections, etc...
Most of this should be handled by the signature base.
- Robust, ACURATE signature base
Only way to do this and not create tons of false postives is true
protocol parsing. This knocks out most IPS vendors like Tipping Point.
- Packet capture - no debate on how much before, as that has been covered
- Pre-deployment network analysis tools to accelerate deployment
- Anomaly detection
Why? I have yet to see a system that is more than a parlor trick.
Anomaly based system are even easier to evade than sig based systems
that don't do protocol parsing.
What I would add is better tools for testing. Almost nobody grabs a
copy of Canvas from Immunity or Impact from Core and actually checks
what attacks are caught. Further more an even fewer number use modded
copies of public exploits to see if the claims made by vendors are
actually true. How many vendor's IPS implementation would actual catch
a MS03-026 exploit if you frag at the RPC layer at a size like 8
bytes?
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
