And how would you propose to block something you can't detect?
IPS actions are always on patterns of data, either packet level, or
based on anomalous behavior (statistical, historical, protocol...).
To argue otherwise is incomprehensible.
Arguments that you should define only acceptable behaviors allowed are
also nonsensical.
Unless you create a protocol based proxy with a VERY limited set of
actions allowed, and for only specific Operating systems and
applications, it would be impossible to define all the possible packets
and sequences.
This is the English language equivalent of defining all known words, and
allowed combinations of words in any length from a single word to the
compressed library of congress and only allowing those patterns you have
chosen to allow through. The allowed set would be irrationally large,
and impossible to code in a cost effective, throughput efficient manner.
Creative and ill-intended people are continuously finding new
combinations that operating systems and applications respond improperly
to.
RDP is an allowed protocol to Windows. A Null Session is perfectly
legitimate to Windows operating system. CAT /ETC/PASSWD is a perfectly
valid Unix command.
But I certainly would not allow any of these through my security device.
-----Original Message-----
From: Nathan Davidson [mailto:ndavidso@globix.com]
Sent: Tuesday, July 26, 2005 4:13 AM
To: Swift, David; Frank Knobbe
Cc: focus-ids@securityfocus.com
Subject: RE: IDS alerts / second - Correlation - Virtualization
David Swift said:
"By nature, any IPS has to do IDS first.
You have to detect before you can block.
Therefore the number of IDS events will dramatically exceed the number
of IPS events. IPS will always be a subset of IDS."
David, I am sorry to be terse with you, but I have never heard such a
non-cohesive argument.
If you take a proper IPS, and by that I don't mean an IDS that has been
re-jigged into an IPS for marketure purposes; it should perform
SYN-cookies or SYN-proxying, followed by Layer 2 checks, followed by a
firewall policy, followed by rate limiting and Layer 4 checks before it
bothers to do anything at Layer 7.
As we all know Layer 7 is computationally expensive so a well designed
IPS will always reduce the amount of traffic at Layer 2-4 prior to
applying IDS signatures.
"Also, please note than many vendors (iPolicy included), are using
correlation tools to tune the system to the deployed network.
...
Then the data is fed back into the IPS engine and Firewall to
intelligently turn on signatures to block events that the protected
network is vulnerable to, firewall unwanted ports, and ideally to turn
off alerting for events the protected network is not vulnerable to."
This is IMHO very risky, you are presuming that your scanner has picked
up all the apps/vulnerabilities that exist in your network and knows
their relationship to any assigned policy items. Why not just block all
access known to be malicious or pointless? That would be an in-line
blocking IPS (or if you like, a firewall that has such features).
-----Original Message-----
From: Frank Knobbe [mailto:frank@knobbe.us]
Sent: Friday, July 22, 2005 4:39 PM
To: Nathan Davidson
Cc: focus-ids@securityfocus.com
Subject: RE: IDS evaluations procedures
On Sat, 2005-07-16 at 12:42 -0400, Nathan Davidson wrote:
> To make things easier to compare let us say that the IPS and IDS have
> the SAME signatures/policy and they both identify all of the malicious
> traffic:
>
> The IPS will create 10 alerts/sec
> The IDS will create 100 alerts/sec
Uhm... then the IDS is not configured properly.
IPSes seem to filter proactively, that means based on assumptions. It
assumes that your server is vulnerable against xyz and blocks it. But
the server doesn't have to be vulnerable.
You can deploy an IDS as an ADS, that is, Attack Detection System. As
such it would alert on every xyz packet that look suspicious and which
the IDS thinks may cause harm to your server.
But you can also deploy an IDS as an ...well... Intrusion Detection
System. Configured like that, it doesn't make assumptions and doesn't
care if it sees xyz hitting the server. It cares what the server
responds with to xyz. If it detects an abnormal response, or outright
hostile traffic (i.e. signature of a botnet c&c channel join), then it
issues an alert, and only then.
Given that, the math is as follows:
ADS: 100 alerts /sec
IPS: 10 alerts /sec
IDS: 1 alert /incident
I think the IDS has a much higher security ROI (oops, I said the evil
word) than an IPS.
The IPS is a broad-sword. The IDS, properly deploy and managed, is a
sensitive detector, not a noisy alarm bell. It doesn't alert on every
thrust of a sword, it only alerts when you bleed.
Regards,
Frank
PS: I sometimes wonder if the I-have-more-alerts-than-you-stick-waving
in the IDS market contributed to the misuse of IDS systems....
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
