Hi Jeff -
This feature is certainly not unique in the IPS world, and it becomes clear
why this is the case when you examine the different roles an IPS plays
today. If you view the IPS appliance as sort of a "network sanitization"
device that is not responsible for routing/NAT/VPN (which is currently the
preferred method on the perimeter and at remote offices for most
organizations) then you don't really need an IP address on the production
interfaces. Back in the old days of IDS this was hyped up as "stealth mode"
and, in concept, it's not really that much different today. For security
reasons, you definitely want that third interface for the IP communication.
Even if you were to use a VPN for IPS management traffic, you shouldn't use
the production network because a) it will have a multiplying effect on your
network load, and b) it could act as a covert channel to inform savvy
attackers as to when your IPS is alerting.
Our IPS product line, NFR Sentivist, works the way you describe below.
Depending on the model you choose, you will have at least three interfaces
available to you. You designate one as the management interface, and then
choose the mode. There are four modes:
1. Inline Fail-severed for IPS protection that severs the connection when
the appliance loses power,
2. Inline Fail-passthrough, which uses two of the specially crafted
remaining interfaces to allow your traffic to pass through the device, even
in the event of a total failure,
3. Inline Bridge, or "training mode" for IPS notification without actual
prevention (excellent for easing the nerves of skeptical new users), and
4. Passive mode, which just uses all the non-management interfaces for
IDS.
In all four modes, all of the non-management interfaces run sans IP address.
Generally, new users will run begin in mode 3 to "train" themselves and the
IPS and then switch to either Inline Fail-severed, or Inline
Fail-passthrough, depending on their architecture and security policy.
I suspect you'll find that a lot of vendors do the IP-less thing in the IPS
world today. I hope this answers your question, at least from one vendor's
perspective.
-MAB
--
(nfr)(security)
Michael A Barkett, CISSP
Vice President, Systems Engineering
5 Choke Cherry Road, Rockville, MD 20850
-----Original Message-----
From: Jeff McCarthy [mailto:intel1914a@yahoo.com]
Sent: Wednesday, January 05, 2005 3:17 PM
To: focus-ids@securityfocus.com
Subject: IPS with no IP address?
Hello,
I recently sat in on an IPS vendor presentation. They
stated that their IPS has 2 Ethernet interfaces,
neither of which have IP addresses yet they can manage
and monitor the device over IP. I thought this was
interesting and somewhat unique.
Are there any other vendors that do that? I know at
least one other vendor has no IP on the interfaces
listening to traffic but they have a seperate
interface with an IP for management.
Thanks,
Jeff McCarthy
USM
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
