IDS mailing list archives
RE: Can Of Worms - Attack Mitigation Systems vs. Network IPS
From: "Bob Walder" <bwalder () spamcop net>
Date: Fri, 30 Jan 2004 10:20:46 +0100
Joel, One of the most sensible and well thought out responses to this type of thread I have seen so far. Excellent explanation on where these types of products fit, and why it is so difficult and dangerous to try and pigeonhole them exactly. Instead, potential purchasers need to define their requirements and then examine products that provide the required functionality, instead of just looking at all those products that now have the "IPS" box ticked on their marketing literature. An example of how difficult it is to categorise these things came out of our latest IPS report (www.nss.co.uk/ips) where we were asked afterwards by one person why the Top Layer device received NSS Approved status when it performed so poorly in our signature coverage tests compared to the likes of TippingPoint, NAI, ISS, etc. My reply was that it would have been very unfair to compare the Top Layer device directly against products from those other vendors and thus rate it poorly as an "IPS", since we would define it more as an "attack mitigator" - thus when you look at what the product is DESIGNED to do, it actually does it very well - hence we felt it deserved the NSS Approved. The poor old purchaser needs to become adept at reading between the lines and seeing beyond those "vendor comparison" checklists that all vendors are so fond of creating to show their products in the best light. This market is still very immature and so there are still genuine differences in the way these devices are architected, which means that different products are more (or less) suitable for different environments and tasks. Our report attempts to explain that as much as possible but it remains a difficult task, and will do until these devices are well established, adopt a "generic" feature set that begins to look the same across all of them, and start to become commodity items.... But don't be holding your breath for that just yet... :o) Regards, Bob Walder Director The NSS Group
-----Original Message----- From: Joel Snyder [mailto:Joel.Snyder () Opus1 COM] Sent: 30 January 2004 04:14 To: Andy Cuff; focus-ids () securityfocus com Subject: Re: Can Of Worms - Attack Mitigation Systems vs. Network IPS Hmmm. Well, I just handed in a huge story to Network World, comparing 11 of these products, and I also divided them into "rate based" IPS (i.e., things which tend to not look at content very much) and "content based" IPS. The problem with those characterizations is that there are products which do a little of both. For example, Top Layer is an outstanding rate-based IPS, but it also does content-based IPS. Tipping Point is an outstanding content-based IPS, but it also does rate-based IPS. (These are not the only examples, just two which come to mine easily). And BOTH types of IPS do the same protocol anomaly stuff---it is easy to detect malformed TCP packets and LAND attacks, no matter what your area of specialty. So both content-based and rate-based are also anomaly-detecting. (this is why calling content-based IPS "signature-based" IPS is very incorrect) I believe that, over time, the good IPS products will tend to include both technologies as they understand them better. It is also, I believe, a severe mis-characterization to call every content-based IPS an "IDS with the IPS bit set." For example, Check Point's InterSpect IPS (a very content-oriented IPS) would never do as an IDS; it's just not in its heritage. The reason that this statement is made is that IDS companies are ideally suited to do content-based IPS, ergo there are many IPS which *are* IDS with IPS functionality added. ISS is the most obvious example which comes to mind. What will happen in the long run is IPS technology will be incorporated into all sorts of products. I realize that there's a lot of incentive to try and pigeonhole products (Gartner specializes in that sort of destructive characterization), but it seems better to consider products against a 2-space or 3-space of features and functions and place them there: firewall-ish, or content-based IPS-ish, or rate-based IPS-ish, for example. This way we avoid putting products where they don't belong or unfairly comparing products which aren't really designed with the same goals in mind. jms Andy Cuff wrote:Hi Folks, Please pardon the above pun but this is another of those IDS terminology issues that I'd like to thrash out tounderstand what themembers of this list think. Intrusion Prevention Systems are certainly the currentflavor of themonth, Gartner's death of IDS has added to the marketingfervor forvendors to have an IPS in their stable of products. Butwhat productsfit into the category? There seems to be an everincreasing number ofDOS/Attack Mitigation Systems that are labellingthemselves as IPS,therefore after some offlist consultation I'd like to seewhat listmembers feel about this statement that was passed to me by a kind-hearted individual last week The main definition between NIPS and Mitigators would beMitigatorsare designed to do one specific job - detect and mitigate against DOS/DDOS attacks and bilateral effects of worm activity. NIPS are designed to detect malicious traffic and drop thepacket/stream. NIPSare not always necessarily good at mitigating DOS/DDOS attacks. Mitigators generally do not have the signature coverage to provide good NIPS functionality. NIPS are like IDS but in-line.Mitigators arelike firewalls but designed to detect and prevent DOSattacks ratherthan enforce policy. I have moved many of the attack mitigators from my list of IPS at http://www.securitywizardry.com/inline.htm to a new AttackMitigationSystem page athttp://www.securitywizardry.com/idsdosmit.htm >> of whichIcurrently have 12 products listedThanks for any time you can devote to this cause. take care -andy Talisker Security Tools Directory http://www.securitywizardry.com------------------------------------------------------------- --------------------------------------------------------------------------- ---------------- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) jms () Opus1 COM http://www.opus1.com/jms Opus One ------------------------------------------------------------- -------------- ------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Can Of Worms - Attack Mitigation Systems vs. Network IPS Andy Cuff (Jan 29)
- Re: Can Of Worms - Attack Mitigation Systems vs. Network IPS Joel Snyder (Jan 29)
- Re: Can Of Worms - Attack Mitigation Systems vs. Network IPS Andy Cuff (Jan 30)
- <Possible follow-ups>
- RE: Can Of Worms - Attack Mitigation Systems vs. Network IPS Bob Walder (Jan 30)
- Re: Can Of Worms - Attack Mitigation Systems vs. Network IPS Joel Snyder (Jan 29)