Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IDS\IPS that can handle one Gig

from [Devdas Bhagat] Network Security [Permanent Link]
Subject: Re: IDS\IPS that can handle one Gig
Date: Thu, 2 Jun 2005 21:15:52 +0530 
On 01/06/05 09:11 -0700, Andrew Plato wrote:

 

Another option, and one that many organizations are beginning to

favor, 

is to forget the current, "fashionable" notions of IPS and return 
to basics -- to focus more closely on vunerability and information 
management.  I believe that if you have a comprehensive, continuous 
and meaningful flow of information about the environment and an 
effective vulnerability remediation program, the need for IPS 
appliances and agents (band-aids) can be reduced dramatically.  


I hear this every now and then from security people, and I think this is
an attitude borne out of lack of experience with IPS. 


Or maybe it just happens to be the right attitude?


I have yet to see an environment (and I am a consultant so I see
hundreds per year) where there is an effective patch and vulnerability
management that can keep pace with the exploits in the wild. Quite


You need to worry about exploits in the wild where you allow weak
security and lots of connectivity.


simply, it is impossible to think you can keep a large enterprise
continuously patched and therefore resistant to the latest
vulnerabilities. 


It isn't hard. If you use proxies, and limit what traffic is allowed
through the proxy, then you can often stop the exploit du jour by simply
not having a proxy for it, or controlling content at the proxy. Not using 
IE/Outlook/Outlook Express also reduces the vulnerability surface by a 
very large extent.



On average, it can take 20 to 30 days for an organization to roll out a
single Microsoft Windows patch. That includes testing, troubleshooting,
and deployment. In 30 days, your environment could be crawling with all
sorts of filth thanks to unpatched machines.


How many of those sytems need exposure to the Internet? How many of them
_need_ to run Windows? 

IPSes are attempts to make proxies which reject only bad traffic. this
is contrary to the standard security posture that only known good
traffic should be allowed to pass. Makes life a lot easier if you can
simply block ActiveX at the edge. That still leaves Javascript holes,
but even those can be controlled with a suitable proxy.
Repeat for other protocols.


Furthermore, if you look at the timeline of when an vulnerability is
"discovered", then when an exploit hits the streets - that time can be
days, even hours. In that case, its still weeks before MS or anybody
releases a patch, and then even more time before you could patch all
your machines. In this case, even under reasonable, well controlled
situation most organizations are three to six weeks out from patching
systems when an exploit is released. That is a ridiculously long period
of time. A period where that environment could become infested. 


A system which is not connected to the network cannot be exploited from
the network.
 

Furthermore, a "comprehensive, continuous and meaningful flow of
information about the environment" means eyeballs. Somebody needs to be
watching that meaningful flow of information. And while highly trained
security engineers are an important part of a security team - they won't
work 24 hours day. People are the most important part of information
security, but technology works longer hours. 


That is what network monitoring/management systems are for (including
IDS).


People also make mistakes and miss things. Its insane to think a
security admin or a network admin has the time or concentration to sift
through mountains of data everyday. Nobody will do that job for long -
or do it well.  

Now, with a good IPS deployment, I can load up a signature update
(hopefully released BEFORE the exploit hit the streets), and now my
entire network is secure from the new exploit. I go home and rest easy.


Until someone comes up with a variant of that exploit. Or the IPS gets
swamped and fails open. Or the exploit hits over an encrypted tunnel.
Or you get hit by a zero day. You are blocking known bad traffic, not
allowing known good traffic.

Devdas Bhagat

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Value of IDS, ROI, Justin . Ross
Next by Date:  Re: IDS\IPS that can handle one Gig, Bob Walder
Previous by Thread:  Re: IDS\IPS that can handle one Gig, Terry Vernon
Next by Thread:  RE: IDS\IPS that can handle one Gig, Palmer, Paul (ISSAtlanta)
Indexes:  [Date] [Thread] [Top] [All Lists]