IDS mailing list archives
RE: need your help about IPS and IDS,thanks
From: Omar Herrera <oherrera () prodigy net mx>
Date: Mon, 22 Nov 2004 21:41:45 -0600
Your point is good; with an IPS you enforce that both IPS and destination host see the same thing, while an IDS has to make a correct guess. There are many things that an ids needs to take into account here: network distance, O.S. brand, O.S. version and even application brand/version in some cases too, but there are other advantages with IDS that have been discussed previously in this forum (I will just summarize some): * They are much harder to identify on the network (especially if they are completely passive), IPS, just like firewalls, are relatively easy to locate. * They might be more useful for correlation in some cases: you might want to keep track of failed access attempts for example, whether it is an attacker or a legitimate user. With an IPS you might think twice to activate a huge amount of these "activity tracking" signatures because performance can be an issue since those devices are inline. * With a passive IDS you can take the risk of activating an experimental signature anytime without risk to performance, whether with an IPS you might hit performance at some point (rare but happens nevertheless). * Attack spoofing by a knowledgeable attacker could make your IPS DoSing your network more easily under some circumstances. This is a weird property of combining both positive (firewall) and negative logic (ids capabilities) security controls in a single active device. I believe that even with this little drawback of traffic interpretation, passive IDS are more useful for incident response teams because you have less risk of performance impact and more flexibility to make fast changes. But definitely, if you want preventive measures IPS/active IDS are more useful. I just can't still accept fully that both firewall and ids capabilities end up in the same active box (last point above is one of the reasons), but on the other hand, we just can't have people looking at consoles 24x7 and expect them to react timely with every legitimate attack they see :-). I'm moving faster towards workstation/server local security anyway, to compensate for deficiencies in both IPS/active IDS and passive IDS. Although costly and time consuming, a good local, positive logic, security control such as a security shell in a workstation or server is much more effective than network firewall/IPS/IDS alone (you usually have 1 or 2 firewalls/IPS/IDS for a great variety of servers and workstations, which means that individual security needs for each type of system is not necessarily satisfied). The implementation of security shell capabilities in personal firewalls is no coincidence (we are demanding such protection for a long time). They don't need to assume (they are in the system that requires protection), and the positive logic capabilities like filtering execution of non-certified executables/processes/servers is really useful. Both IPS and IDS use negative logic which means they require updates which means they share common problems with similar controls like antivirus programs. We are well aware of the problem with delays in signature updates and even the best support teams of IPS/IDS products are no match to the fastest virus/worms on our days in terms of speed. Conclusion: although better than an IDS in attack prevention terms the protection provided by an IPS is more and more limited with new, near-0day and faster automated threats that show up on the Internet these days. So, no magic bullet any of them anyway (like if we didn't know already :-) ). Best regards, Regards, Omar Herrera
-----Original Message----- From: Stuart Staniford [mailto:stuart () nevisnetworks com]Lily, I think of IPS as IDS with the ability to take action. Both IPS and IDS have techniques for detecting malicious activity and most commercial products use a combination:I agree with everything Chris said. There's just one point on the IPS/IDS difference that I'd like to highlight because it often seems to get missed in this particular recurring debate. That's the issue of evasion resistance. An inline IPS has a much broader range of options open to it because it can actually normalize the traffic. Eg, if there are weird overlapping retransmissions, the IPS can pick one and only allow that through. By contrast, an IDS that is not inline is forced to somehow deduce (or guess) which one might have made it to the end-host and actually been accepted (which tends to mean it needs a lot of information about the end-hosts to really do a good job).
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- need your help about IPS and IDS,thanks Lily (Nov 16)
- RE: need your help about IPS and IDS,thanks Andy Cuff (Nov 17)
- <Possible follow-ups>
- RE: need your help about IPS and IDS,thanks Eric McCarty (Nov 16)
- Re: need your help about IPS and IDS,thanks Lily (Nov 17)
- RE: need your help about IPS and IDS,thanks Andy Cuff (Nov 18)
- RE: need your help about IPS and IDS,thanks Chris Petersen (Nov 19)
- RE: need your help about IPS and IDS,thanks Stuart Staniford (Nov 22)
- RE: need your help about IPS and IDS,thanks Omar Herrera (Nov 23)
- Re: need your help about IPS and IDS,thanks Lily (Nov 17)
- Re: need your help about IPS and IDS,thanks Lily (Nov 17)
- Message not available
- need your help about IPS and IDS,thanks Zhuowei Li (Nov 19)