David Swift said:
"By nature, any IPS has to do IDS first.
You have to detect before you can block.
Therefore the number of IDS events will dramatically exceed the number
of IPS events. IPS will always be a subset of IDS."
David, I am sorry to be terse with you, but I have never heard such a
non-cohesive argument.
If you take a proper IPS, and by that I don't mean an IDS that has been
re-jigged into an IPS for marketure purposes; it should perform
SYN-cookies or SYN-proxying, followed by Layer 2 checks, followed by a
firewall policy, followed by rate limiting and Layer 4 checks before it
bothers to do anything at Layer 7.
As we all know Layer 7 is computationally expensive so a well designed
IPS will always reduce the amount of traffic at Layer 2-4 prior to
applying IDS signatures.
"Also, please note than many vendors (iPolicy included), are using
correlation tools to tune the system to the deployed network.
...
Then the data is fed back into the IPS engine and Firewall to
intelligently turn on signatures to block events that the protected
network is vulnerable to, firewall unwanted ports, and ideally to turn
off alerting for events the protected network is not vulnerable to."
This is IMHO very risky, you are presuming that your scanner has picked
up all the apps/vulnerabilities that exist in your network and knows
their relationship to any assigned policy items. Why not just block all
access known to be malicious or pointless? That would be an in-line
blocking IPS (or if you like, a firewall that has such features).
-----Original Message-----
From: Frank Knobbe [mailto:frank@knobbe.us]
Sent: Friday, July 22, 2005 4:39 PM
To: Nathan Davidson
Cc: focus-ids@securityfocus.com
Subject: RE: IDS evaluations procedures
On Sat, 2005-07-16 at 12:42 -0400, Nathan Davidson wrote:
To make things easier to compare let us say that the IPS and IDS have
the SAME signatures/policy and they both identify all of the malicious
traffic:
The IPS will create 10 alerts/sec
The IDS will create 100 alerts/sec
Uhm... then the IDS is not configured properly.
IPSes seem to filter proactively, that means based on assumptions. It
assumes that your server is vulnerable against xyz and blocks it. But
the server doesn't have to be vulnerable.
You can deploy an IDS as an ADS, that is, Attack Detection System. As
such it would alert on every xyz packet that look suspicious and which
the IDS thinks may cause harm to your server.
But you can also deploy an IDS as an ...well... Intrusion Detection
System. Configured like that, it doesn't make assumptions and doesn't
care if it sees xyz hitting the server. It cares what the server
responds with to xyz. If it detects an abnormal response, or outright
hostile traffic (i.e. signature of a botnet c&c channel join), then it
issues an alert, and only then.
Given that, the math is as follows:
ADS: 100 alerts /sec
IPS: 10 alerts /sec
IDS: 1 alert /incident
I think the IDS has a much higher security ROI (oops, I said the evil
word) than an IPS.
The IPS is a broad-sword. The IDS, properly deploy and managed, is a
sensitive detector, not a noisy alarm bell. It doesn't alert on every
thrust of a sword, it only alerts when you bleed.
Regards,
Frank
PS: I sometimes wonder if the I-have-more-alerts-than-you-stick-waving
in the IDS market contributed to the misuse of IDS systems....
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
