RE: amount of alarms generated by IDS

["Runion Mark A FGA DOIM WEBMASTER(ctr)" <mark.runion () us army mil>]

Interesting ideas, but what happened to the concept of Expert System
Monitoring Platforms feeding on IDS outputs to drive actual timely updates
to firewalls?

Obviously to manage, control, and mitigate these types of attacks it is
necessary to use complete solutions in real time, not some fancy tool or
single system.  And no human operator can possibly do more than monitor such
systems at more than the deterministic level of "yes Charles H. doesn't need
his DSL today," or "okay the little slimeball can play around for a little
longer."  The attacks simply occur too fast to allow realistic response time
otherwise.

-
Mark Runion

"They used to read the 3000ppm water monitor with a magnifying glass."


-----Original Message-----
From: Jason [mailto:security () brvenik com] 
Sent: Tuesday, May 11, 2004 2:13 PM
To: Rob Shein
Cc: 'Ravishankar Ithal'; 'Bhargav Bhikkaji'; focus-ids () securityfocus com
Subject: Re: amount of alarms generated by IDS

I have to agree with Rob and I must debate the classification of inline 
IPS as simply an IDS with the ability to drop malicious looking packets.

The comparison is more appropriately made as a firewall with the ability 
to inspect traffic in the context of good or bad in addition to allowed 
or disallowed.

Many Inline devices are nothing more than slimmed down proxy based 
firewalls of days past marketed differently. The feature set is not even 
that different. They understand a set number of protocols, can do 
inspection and normalization of those protocols and allow or disallow 
based on a match within the protocol. Some of the inline devices have 
had network grep capabilities bolted on to facilitate matching of single 
packet attacks and the like. This is arguably less effective than using 
a proxy based firewall to handle valid application interactions and 
blocking all non valid communication.

This functionality is different than what an IDS does and is intended to 
do. An IPS cannot be critical of the traffic with an eye to security, it 
cannot be deployed in places where inline is not possible, it cannot 
monitor local segments... This lack of a critical eye is because of the 
many issues related to context and confidence of the data being passed 
and is a difficult problem to solve without complete and intimate 
understanding of all of the protocols, hosts, and networks involved. 
This results in a mildly useful number of attacks that are actually 
blocked because the risk of blocking a non attack is high. An IDS OTOH 
can inspect the traffic critically with an eye to security and not be 
concerned with killing good traffic and thus can audit what the IPS and 
firewall have to let through.

Lets flashback a few years, codered just hit, wiped out a lot of 
servers, many people had a firewall that was capable of preventing this 
attack but could not configure it to do so in a timely manner. This is 
the same as an IPS today, short of nuisance control and containment of 
segmented networks it has little value over the same resources applied 
to reducing overall risk. Every place you would deploy an IPS is a 
perfect place for a good firewall. $ for $ yen for yen proactive 
security and patch management will get much more bang for the buck.

I am looking for examples of any case where an inline IPS blocked an 
attack that would not have been blocked or mitigated otherwise by a good 
firewall and patching or mitigating a known vulnerability.


Rob Shein wrote:

> Simple.  An inline IDS is one that sits inline, and thus doesn't have to
> listen promiscuously.  There are a few situations where you might want
this.
> The reason why there are two separate terms..."inline IDS" and "IPS"...is
> because they are two separate things.
>
>
> > -----Original Message-----
> > From: Ravishankar Ithal [mailto:ravi_ithal () yahoo com] 
> > Sent: Tuesday, May 11, 2004 1:14 PM
> > To: Rob Shein; 'Bhargav Bhikkaji'; focus-ids () securityfocus com
> > Subject: RE: amount of alarms generated by IDS
> >
> >
> >
> > --- Rob Shein <shoten () starpower net> wrote:
> >
> > > I'm a bit confused here.  You're talking about inline IDS and IPS.  
> > > Are you using the terms interchangably?  If so, you're mistaken; 
> > > putting an IDS inline does not make it an IPS.  And an IDS inline 
> > > shouldn't be dropping packets.
> >
> > If an IDS doesn't have the ability to drop packets, why would 
> > you call it "inline"? Note that sitting in the packet path or 
> > as an offline box doesn't make any difference in the amount 
> > and kind of traffic that the box can actually see, what with 
> > spanning on switches. I _am_ using the two terms 
> > interchangably, simply because IPSs of today are nothing but 
> > IDSs of yesterday with an ability to drop malicious looking packets.
> >
> >
> > > I could see how the signatures could be tuned differently 
> >
> > due to the 
> >
> > > fact that it is able to ensure that it sees everything, and 
> >
> > that could 
> >
> > > generate fewer FPs, but aside from that I doubt there would be any 
> > > difference.  Keep in mind that an inline IDS does not (normally) do 
> > > anything to bad traffic, while an IPS takes an active role in 
> > > munging/blocking/denying such.
> >
> >
> >
> >
> >      
> >              
> > __________________________________
> > Do you Yahoo!?
> > Win a $20,000 Career Makeover at Yahoo! HotJobs  
> > http://hotjobs.sweepstakes.yahoo.com/careermakeover 
---------------------------------------------------------------------------
>
---------------------------------------------------------------------------
>


---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------