IDS mailing list archives
Re: IDS\IPS that can handle one Gig
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Thu, 2 Jun 2005 21:15:52 +0530
On 01/06/05 09:11 -0700, Andrew Plato wrote:
Another option, and one that many organizations are beginning tofavor,is to forget the current, "fashionable" notions of IPS and return to basics -- to focus more closely on vunerability and information management. I believe that if you have a comprehensive, continuous and meaningful flow of information about the environment and an effective vulnerability remediation program, the need for IPS appliances and agents (band-aids) can be reduced dramatically.I hear this every now and then from security people, and I think this is an attitude borne out of lack of experience with IPS.
Or maybe it just happens to be the right attitude?
I have yet to see an environment (and I am a consultant so I see hundreds per year) where there is an effective patch and vulnerability management that can keep pace with the exploits in the wild. Quite
You need to worry about exploits in the wild where you allow weak security and lots of connectivity.
simply, it is impossible to think you can keep a large enterprise continuously patched and therefore resistant to the latest vulnerabilities.
It isn't hard. If you use proxies, and limit what traffic is allowed through the proxy, then you can often stop the exploit du jour by simply not having a proxy for it, or controlling content at the proxy. Not using IE/Outlook/Outlook Express also reduces the vulnerability surface by a very large extent.
On average, it can take 20 to 30 days for an organization to roll out a single Microsoft Windows patch. That includes testing, troubleshooting, and deployment. In 30 days, your environment could be crawling with all sorts of filth thanks to unpatched machines.
How many of those sytems need exposure to the Internet? How many of them _need_ to run Windows? IPSes are attempts to make proxies which reject only bad traffic. this is contrary to the standard security posture that only known good traffic should be allowed to pass. Makes life a lot easier if you can simply block ActiveX at the edge. That still leaves Javascript holes, but even those can be controlled with a suitable proxy. Repeat for other protocols.
Furthermore, if you look at the timeline of when an vulnerability is "discovered", then when an exploit hits the streets - that time can be days, even hours. In that case, its still weeks before MS or anybody releases a patch, and then even more time before you could patch all your machines. In this case, even under reasonable, well controlled situation most organizations are three to six weeks out from patching systems when an exploit is released. That is a ridiculously long period of time. A period where that environment could become infested.
A system which is not connected to the network cannot be exploited from the network.
Furthermore, a "comprehensive, continuous and meaningful flow of information about the environment" means eyeballs. Somebody needs to be watching that meaningful flow of information. And while highly trained security engineers are an important part of a security team - they won't work 24 hours day. People are the most important part of information security, but technology works longer hours.
That is what network monitoring/management systems are for (including IDS).
People also make mistakes and miss things. Its insane to think a security admin or a network admin has the time or concentration to sift through mountains of data everyday. Nobody will do that job for long - or do it well. Now, with a good IPS deployment, I can load up a signature update (hopefully released BEFORE the exploit hit the streets), and now my entire network is secure from the new exploit. I go home and rest easy.
Until someone comes up with a variant of that exploit. Or the IPS gets swamped and fails open. Or the exploit hits over an encrypted tunnel. Or you get hit by a zero day. You are blocking known bad traffic, not allowing known good traffic. Devdas Bhagat -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: IDS\IPS that can handle one Gig Andrew Plato (Jun 01)
- RE: IDS\IPS that can handle one Gig Peter Schawacker (Jun 01)
- Re: IDS\IPS that can handle one Gig Vikram Phatak (Jun 06)
- Re: IDS\IPS that can handle one Gig Frank Knobbe (Jun 07)
- Re: IDS\IPS that can handle one Gig Control Zed (Jun 07)
- Re: IDS\IPS that can handle one Gig Frank Knobbe (Jun 08)
- Re: IDS\IPS that can handle one Gig Terry Vernon (Jun 08)
- Re: IDS\IPS that can handle one Gig Vikram Phatak (Jun 06)
- RE: IDS\IPS that can handle one Gig Peter Schawacker (Jun 01)
- <Possible follow-ups>
- RE: IDS\IPS that can handle one Gig Palmer, Paul (ISSAtlanta) (Jun 01)
- Re: IDS\IPS that can handle one Gig Ed Gibbs (Jun 04)
- Re: IDS\IPS that can handle one Gig Bob Walder (Jun 04)
- Re: IDS\IPS that can handle one Gig Bob Walder (Jun 05)
- Re: IDS\IPS that can handle one Gig Per Engelbrecht (Jun 01)
- RE: IDS\IPS that can handle one Gig Prashant Khandelwal (Jun 01)
- RE: IDS\IPS that can handle one Gig THolman (Jun 01)
- Re: IDS\IPS that can handle one Gig Peter Schawacker (Jun 01)
- RE: IDS\IPS that can handle one Gig Dave Hawkins (Jun 01)
- RE: IDS\IPS that can handle one Gig Palmer, Paul (ISSAtlanta) (Jun 04)