Re: Wishlist for IPS Products

[PS R <secureyourself () gmail com>]

Appreciate the response, but I wanted to make it clear that I am not
advocating any of the suggestions listed, just providing a starting
point for the conversation.  What I listed is a brief list of what
current vendors are providing.

I agree with you on the acurate detection base and current vendors,
but still feel this should be a requirement.  1200 signatures on an
IPS, of which you can enable only 200 confidently to block = 200 IPS
signatures and 1000 IDS signatures.  I would rather discussed
vulnerabilities/exploits covered by the signatures and if you can
cover 10 vulnerabilities with a single signature that does not false
positive, then you are on to something.

Anomaly detection (e.g. new worm detection, detection of new buffer
overflows, etc...) should be a part of the product.   This should not
replace a signature base, but be in addition to signature and ACL
parsing.

Tools are helpful, but typically are not a part of the IPS being
shipped.  I do believe good baselining tools should be included to do
advanced network analysis/discovery.

Thanks

Jack

On Sun, 12 Sep 2004 00:29:51 -0400, David Maynor <dmaynor () gmail com> wrote:
> Yeah....I am gonna go ahead and disagree with you on some of these.
>
> > I have seen a lot of discussion about the differences between IDS,
> > IPS, and firewalls and the potential for convergence, but I do not
> > recall a discussion on the primary features that an IPS should have
> > out of the box.
> >
> > I am thinking of:
> > - Flow Control - limitations on flooding, unused connections, etc...
>
> Most of this should be handled by the signature base.
>
> > - Robust, ACURATE signature base
>
> Only way to do this and not create tons of false postives is true
> protocol parsing. This knocks out most IPS vendors like Tipping Point.
>
> > - Packet capture - no debate on how much before, as that has been covered
> > - Pre-deployment network analysis tools to accelerate deployment
> > - Anomaly detection
>
> Why? I have yet to see a system that is more than a parlor trick.
> Anomaly based system are even easier to evade than sig based systems
> that don't do protocol parsing.
>
> What I would add is better tools for testing. Almost nobody grabs a
> copy of Canvas from Immunity or Impact from Core and actually checks
> what attacks are caught. Further more an even fewer number use modded
> copies of public exploits to see if the claims made by vendors are
> actually true. How many vendor's IPS implementation would actual catch
> a MS03-026 exploit if you frag at the RPC layer at a size like 8
> bytes?

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------