Agreed on all the above points. Without going too far off topic, this
leads me to another area that has been troubling me. One of the key
aims of security vendors over the last few years has been minimising
the importance of security experts (i.e. experienced human beings) in
the process of attack mitigation, remediation and defence.
I think this has a lot to do with the complexity of selling services
and would be interested in hearing from people out there who have had
success in the managed IDS space.
One of the reasons that the reputation of IDS suffered (and maybe why
S&M (sales & marketing) had to pep things up with the P) is because
IDS was delivered to enterprises as a box-drop with no real bedding-in
and tuning and have therefore generated too many false
positives/negatives & noise. So what has happened is that the less
consultative companies out there have minimised the perceived value of
what Richard accurately describes as "an important part of the
security arsenal."
We have been offering expert network intelligence services (similar to
managed NIDS services, but not restricted to security) for about 9
months now and are constantly having to convince people that being
able to speak to an expert is infinitely better than trusting a
machine. My point is that S&M are doing their best to minimise
perception of the value of the talented and dedicated people who
continue to improve detection and mitigation capabilities.
It makes me wonder when I see so many IDS systems out there that have
cost a lot of money mindlessly shooting alerts off to an email account
that nobody ever reads. Or just as bad, shooting them off to a
log/event outsourcer whose tech staff have never even met the client
so have no idea of their policies, environment or concerns.
I suggest we drop IPS from the nomenclature. And let's encourage the
consultative approach...
On 7/21/05, Richard Bejtlich <taosecurity@gmail.com> wrote:
On 7/20/05, Nick Black <dank@qemfd.net> wrote:
Richard Bejtlich rigorously showed:
In fact, you could argue the IPS is a step backward from a stateful
layer 3/4 firewall in that the IPS inverts a proven security model.
Good security (implemented on most firewalls) says "allow what policy
says is authorized, deny all else." The IPS model says "deny what
policy says is malicious, allow all else." Marty pointed this out a
while ago and it has stayed with me.
This statement seems quite too general -- who is to define the "IPS
model" as it is implemented in a wide swath of appliances? I can speak
with some authority regarding our hybridized approach here at Reflex,
and suggested deployment procedure: the very first activity performed on
a new install is the same determination of necessary network traffic one
would codify when preparing a link/network/transport-layer firewall.
Signature and anomaly-based detection follows this basic {protocol X
addressing}-based blacklisting (although it can also be applied to data
already rejected, should a customer wish to spend resources examining
such).
Your issue seems to be more properly with those who configure IPS
devices, and perhaps those who write misleading documentation and
marketing info, than with the "IPS model".
Hi Nick and list,
If someone configures their layer 3/4 firewall to block, say, ports
111 TCP and 445 TCP, and let everything else pass, we would agree that
is a poor deployment model. People still do this, unfortunately.
If someone configures their layer 7 firewall (aka IPS) to block
traffic identified by signature, anomaly, vulnerability, whatever, and
let everything else pass, now we're discussing the way almost everyone
deploys IPSs.
I have not heard anyone defining and passing "authorized" traffic and
denying everything else via IPS. In fact, a hot hardware item these
days are inline bypass switches to avoid inline IPSs that fail.
"Better to keep the traffic flowing than fail closed!" is the
rationale.
I detest the term IPS, as it is a pure marketing term. It was created
by companies that needed to define a new access control product niche
to compete against the firewall giants of the early 2000s. (All
defensive measures are trying to prevent intrusions.)
However, I am not disrespecting the technology. Anything which can
make smarter access control decisions is extremely helpful and an
important part of the security arsenal.
Sincerely,
Richard
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
